1. K-State home
  2. »Policies
  3. »PPM
  4. »3400
  5. »Collection, Use and Protection of Social Security Numbers

Policies

Internal Audit Office

Kansas State University
5 Anderson Hall
Manhattan, KS 66506-0118

 

785-532-7308
785-532-0186
internalaudit@k-state.edu

Collection, Use and Protection of Social Security Numbers

Chapter 3495
Revised September 2, 2010

Table of Contents

.010 Purpose
.020 Scope
.030 Objectives
.040 Policy
.050 Implementation and Timeframe
.060 Legacy Data
.070 Related Laws, Regulations and Policies
.080 Questions
Appendixes:
.100 Appendix A
.110 Appendix B

.010 Purpose

Kansas State University ("the University") is committed to protecting the privacy and confidentiality of personal information related to students, faculty, staff, and other individuals associated with the University. This policy governs the collection, storage, use, and disclosure of Social Security Numbers (SSNs) at the University, consistent with federal and state laws and regulations and the increasing need to protect personal identity data. This policy also authorizes the creation of alternative methods of identification that will reduce reliance on the SSN, allow for easy identification of a person for University transactions, and provide for linking an individual's personal information and records in various university information systems. Kansas State University acknowledges the assistance of the University of Maryland in preparation of this policy. Additional policies consulted include University of Minnesota, 3/17/2005; Georgia Southern University, undated; and Baylor University, undated.

.020 Scope

This policy applies to all university colleges, departments, administrative units, and affiliated organizations. For the purposes of this policy, affiliated organization refers to any organization associated with the University that uses university computer network resources to create, maintain, or store data to perform their business functions.

.030 Objectivies

In issuing this policy, the University is guided by the following objectives.

  1. Broader awareness of the confidential nature of the SSN and the risk of identity theft related to unauthorized disclosure.
  2. Reduced collection of SSNs except where authorized by law.
  3. Reduced use of the SSN in records and information systems, including display screens and printed reports.
  4. Reduced electronic storage of SSNs to a minimum number of locations with the goal being one location when that is possible.
  5. Consistent policies regarding the collection, storage, use, and disclosure of SSNs throughout the University.
  6. Increased confidence by students, employees, and affiliates/guests that their SSNs are handled in a confidential manner.

.040 Policy

Use of the SSN as an identifier will be discontinued, except where authorized for employment, IRS reporting, federal student financial aid processing, state and federal reporting requirements, and a limited number of other business transactions. (See Appendix A for a list of currently approved uses of the SSN.) While the SSN will continue to be collected and retained as authorized by law, it will not be used for routine identification or authentication purposes. A unique nine-digit university identification number called the Wildcat ID Number (WID) will be permanently assigned to each individual associated with the University as a personal identifier alternative to the SSN. The WID will begin with an "8" to prevent confusion with an SSN. For computer access, individuals will also have a unique electronic identification (eID) to be used in combination with a password.

.050 Implementation and Timeframe

Traditionally, the University, like many universities, has used the SSN as a common "person" identifier and as the key to university records and information systems maintaining personal information. The University recognizes that many of its major systems use the SSN or the SSN as the Student ID Number as the primary key. Conversion of systems will take time and resources. The expectation is that there will be steady and purposeful movement away from dependency on the SSN. A multi-year plan will be developed in coordination with university entities for meeting the requirements of this policy. Appropriate interim measures may be developed until such time as the conversion to alternative personal identifiers is complete.

Implementing Requirements

  1. Kansas State University prohibits the use of a person's SSN as a publicly visible identification number for University-related transactions, unless specifically required by law or business necessity.
  2. Each member of the University community will be assigned a unique identification number that will not be the same as nor derived from the individual's SSN. This number is called the Wildcat ID Number (WID). The WID will be printed on University photo ID cards.
  3. For computer access or sign-in purposes, University students, faculty, staff, and others will create an electronic identifier (eID) to be used in combination with a password. The eID will be used as the standard identifier for all computer resource authentication purposes.
  4. SSNs will not be used for identification purposes unless required by law or internal university business necessity. For business processes that require an SSN, the last four digits of the SSN may be used to confirm the identity of an individual.
  5. Academic records, such as grades, and other pieces of personal information will not be publicly posted or displayed with the SSN or any portion of the SSN.
  6. Any University office that requests an SSN from an individual must indicate if it is voluntary or required. The request should include or be accompanied by a disclosure statement approved by the University Data Administrator. Disclosure statements should state under what authority and why the SSN is being requested, how the number will be used, and to whom it can be disclosed. Sample disclosure notifications for students, employees, and affiliates/guests are provided in Appendix B.
  7. An SSN can only be used for the purpose it was collected.
  8. Systems developed or purchased the University after the effective date of this policy shall comply with the provisions of this policy. Such systems will not collect SSNs, or display SSNs visually, whether on monitors, printed forms, hardcopy reports, or other system output, unless required by law or business necessity. See Appendix A for further information.
  9. In the transition to one location for the SSN, university systems may use the SSN as a data element, but not as a key for access to databases. In exceptional circumstances, it may be necessary to use the SSN as an alternative search field. All such cases shall be approved by the University Data Administrator, who shall seek recommendations from the Data Resource Stewards Committee.
  10. When a business process requires the SSN, it must be stored in a secure manner. The SSN shall not be stored on devices that are not secured (e.g., laptops, PDAs, CDs). Any transmission of data containing SSNs must be encrypted over any communication network. Encryption policy is specified in PPM 3415.040.
  11. Any University department or office that collects and/or maintains an individual's SSN in either paper or electronic media must: 1) ensure that the number is stored in a secure and confidential environment; 2) eliminate using the number for any purpose except those specifically addressed in this policy; 3) begin a steady and purposeful movement away from dependency on the SSN in performing its functions and processes; 4) properly control and restrict access to SSNs to prevent unauthorized disclosure; and 5) properly erase or destroy the storage devices or printed documents that contain SSNs to ensure the information cannot be recovered or reconstructed.

.060 Legacy Data

The University recognizes that the SSN must be retained and used as a person identifier in information systems containing older "legacy" data pertaining to ex-students, ex-faculty or staff, or others formerly associated with the university. It is impractical to assign WID numbers to these individuals. In addition, SSNs will continue to be assigned as Student ID numbers to students and used in university mainframe applications until the implementation of the new student information system.

.070 Related Laws, Regulations and Policies

A variety of federal and state laws and regulations address the use of the SSN. These include the Privacy Act of 1974, the Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), and Kansas Statues Annotated, 76-768.

.080 Questions

The Chief Information Officer (CIO) is responsible for this policy. Questions should be directed to the Department for Data and Information Administration telephone number 532-5698.

.100 Appendix A

Approved Uses for Social Security Numbers (SSN)

Appendix A is considered to be part of this policy (Collection, Use, and Protection of Social Security Numbers, Chapter 3495).

The SSN is required for certain legal and business activities and to ensure the accuracy of inter-institutional data exchanges and communications between institutions involved in those activities. Approved uses of the SSN by the University are listed below.

Employment: The SSN is required for a variety of employment matters; such as proof of citizenship, tax withholding, FICA, or Medicare.

Application and Receipt of Financial Aid: Students applying for student aid using the federal Free Application For Student Assistance (FAFSA) are required to provide SSNs. Students are also required to provide SSNs when applying for student education loans.

Tuition Remission: The SSN is required for state reporting of taxable tuition remission benefits received by employees, their spouses and dependents, and by graduate assistants.

Benefits Administration: The SSN is often required for verifying enrollment, processing, and reporting on various benefit programs, such as medical benefits, health insurance claims and veterans' programs.

Insurance: SSN will be needed to file insurance claims through Lafene Health Center.

IRS Reporting: The SSN is used for federally required reporting to the IRS. For example, the University reports the value of all taxable and non-taxable scholarships and grants awarded to non-resident aliens to the IRS.

Student Information Exchange: Many institutions, including postsecondary educational institutions, use the SSN as a student identifier. The SSN may be used for the exchange of information from student academic records between appropriate institutions, including other colleges and universities or certification and licensure programs.

.110 Appendix B

SAMPLE DISCLOSURE STATEMENTS

A. Student Notification - Voluntary SSN Disclosure

(optional) Solicited per K.S.A. 76-725. Used as a student identifier for records and accounts. Required if applying for federal or state financial aid (using FAFSA) and/or educational tax credit/incentives.

B. Employee Notification - Required SSN Disclosure

(mandatory) Solicited per K.S.A. 76-725. Used for tax withholding, record keeping, and government reporting.

C. Affiliates Notification - Voluntary SSN Disclosure

(optional) Solicited per K.S.A. 76-725. Used as an identifier and for record keeping.