Policy AD19 USE OF PENN STATE IDENTIFICATION NUMBER AND SOCIAL SECURITY NUMBER

Contents:

  • Purpose
  • General Statement
  • Role of Chief Privacy Officer
  • Use of Social Security Number
  • .... Collection of Social Security Number Within University Records
  • .... Disclosure Statements
  • .... Security and Privacy of Social Security Number
  • .... Central Identification Repository (CIDR)
  • .... Data Stewards
  • .... SSN Within Historical Records
  • Penn State Identification Number - PSU ID
  • .... General Information
  • .... Assignment of the PSU ID
  • ........ Constituent Groups
  • ........ Initial Assignment of the PSU ID
  • ........ Duplicate or Multiple PSU ID
  • ........ Replacement of PSU ID
  • .... PSU ID and Penn State id+ Card
  • Cross References

  • PURPOSE:

    This policy governs the use of Social Security numbers (SSN) at Penn State and recognizes the use of the PSU ID as the primary identification number for students and employees.  Any personal health information originating from a covered component of Penn State and attached to the SSN may be protected health information (see Policy AD22).  The Pennsylvania College of Technology, although affiliated with Penn State, has its own policy regarding the use of SSNs within its systems.  However, its policy must provide compatibility with ISIS (Integrated Student Information System) and IBIS (Integrated Business Information System) as necessary.

    GENERAL STATEMENT:

    Penn State is committed to maintaining the privacy and confidentiality of an individual's SSN. Therefore, the use of SSNs as an identification number within the University shall be limited. A Penn State Identification Number (PSU ID) is assigned to all students and employees of Penn State as the primary identification number for Penn State purposes. SSNs will only be requested and required in certain cases, such as when required by law or for business purposes with certain third party providers, with appropriate disclosure of its use, and then stored as a private data element in Penn State's Central ID Repository (CIDR).

    ROLE OF CHIEF PRIVACY OFFICER:

    The University's Chief Privacy Officer will have oversight of the policy issues related to the PSU ID as well as the collection of the SSN within University systems. Federal and state regulations, such as the Family Educational Rights and Privacy Act of 1974 (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA), will be monitored by the Chief Privacy Officer to assure Penn State policies are in compliance.

    USE OF SOCIAL SECURITY NUMBER:

    COLLECTION OF SOCIAL SECURITY NUMBER WITHIN UNIVERSITY RECORDS:

    The SSN will be required to be collected and recorded when needed by federal or state governmental agencies or by outside third parties. Other reasons for collecting a SSN may be designated by the Office of General Counsel or the University Chief Privacy Officer.

    Authorized University employees may use SSNs during the execution of their duties, especially if a primary means of identification, such as the PSU ID, is not known or available.

    University offices may not collect SSNs for other purposes, except those noted below. Even these areas must request an authorization from the Chief Privacy Officer if the SSN is to be stored electronically anywhere other than Penn State's Central ID Repository (CIDR). The primary uses and reasons for collecting a SSN include the following:

    The SSN may also be released to entities outside the University where required by federal or state law, regulation or procedure, or if the individual grants permission.

    DISCLOSURE STATEMENTS:

    The use of a disclosure statement when requesting the SSN is not required although several University offices have adopted the use of standard disclosure statements on forms requesting SSNs from prospective students and on forms where services are requested that require SSNs.

    SECURITY AND PRIVACY OF SOCIAL SECURITY NUMBER:

    If a SSN is collected for a student, employee, or other constituent, it will be stored as a private data element for that individual within the Central Identification Repository (CIDR) (with the exception of SSNs collected as taxpayer IDs within the IBIS accounts payable system, which will be stored as part of the vendor record). The University will take reasonable precautions to protect the SSN for all individuals who provide it, but the SSN must be available to University employees if required to complete the business of the University. In no case will a SSN be used as an identifier in a University system covered under this policy, including as an indexing system for imaged documents, unless the Chief Privacy Officer has approved an authorization.

    All records containing SSNs, whether on or off-line, will be considered confidential information and should be secured appropriately. If and when these records are no longer needed, disposal of the records must be done securely, and the disposer must follow University Policy AD35 - Archives and Records Management.

    CENTRAL IDENTIFICATION REPOSITORY (CIDR):

    SSNs are secured in a Central Identification Repository (CIDR) with limited and encrypted (secure) access rights. Those offices which require the storage of SSNs within their systems rather than in CIDR must have permission from the University's Chief Privacy Officer to store the SSN outside CIDR. Crosswalk files that cross-reference PSU IDs to SSNs are prohibited with the exception of CIDR, unless approved by the Chief Privacy Officer. Authorization requests can be made at privacy@psu.edu.

    The data within CIDR is Penn State data and will be available to those authorized to view data within CIDR. However, the data is considered to be confidential data and may not be used by any office for purposes of data mining.

    In certain cases, collection of an individual's SSN may have additional privacy considerations (e.g. the information collected may only be used within the scope of the project for which it was collected) - those cases will be reviewed with the Chief Privacy Officer to determine appropriate handling.

    DATA STEWARDS:

    The Corporate Controller's Office has assigned Data Stewards who are responsible for the control of PSU IDs, SSNs and other data elements in the Central Identification Repository (CIDR), including determining which data elements are mandatory and optional for each affiliation. These Data Stewards also coordinate the operational aspects of revising, deleting and merging records within the CIDR, and the issuance of new PSU IDs as required. The Data Stewards will grant permission to appropriate offices to assign the PSU ID. The Data Stewards work closely with the Chief Privacy Officer to implement new policy or procedures intended to protect the confidentiality of individual records and data.

    SSN WITHIN HISTORICAL RECORDS:

    SSNs may be a part of historical databases or imaged documents given its past use as the primary identifier at Penn State. Penn State will make a good faith effort to convert on-line databases and information, but given the volume of data, will not be able to convert historical records stored in off-line technology or as imaged documents. In no case can SSNs be used as a primary identifier in a University system, including as an indexing system for imaged documents unless the Chief Privacy Officer grants permission. If permission is not granted, the indexes must be changed to use the PSU ID or another key, or the documents must be purged from the system. Following are additional guidelines on use of SSNs within historical records:

    On-Line:

    Off-Line:

    All records that are no longer needed must be purged and disposal of the records must follow University Policy AD35 - Archives and Records Management.

    PENN STATE IDENTIFICATION NUMBER - PSU ID:

    GENERAL INFORMATION:

    A Penn State Identification Number or PSU ID is assigned to individuals and is to be used as the primary identifier in Penn State's administrative and academic systems. The PSU ID is a nine digit number, beginning with 9 in the following format: 9-XXXX-XXXX.

    The PSU ID is unique to the individual and is a lifetime assignment used for multiple and changing relationships with Penn State.

    The following apply to all individuals assigned a PSU ID:

    ASSIGNMENT OF THE PSU ID:

    CONSTITUENT GROUPS:

    There are three major groups to whom PSU IDs are assigned - students, employees and other entities - and different regulations apply to each.

    INITIAL ASSIGNMENT OF THE PSU ID:

    Only after determining that an individual does not have a PSU ID will one be assigned. The Data Stewards authorize which areas of the University will have the authority to establish a PSU ID for an individual, if one does not already exist. Assigning a PSU ID will require certain minimum information about the individual as prescribed by the Data Steward. Those offices assigning PSU IDs must notify constituents of their new PSU ID in a timely manner, using consistent methods and wording as specified by the Data Stewards.

    DUPLICATE OR MULTIPLE PSU ID:

    If multiple PSU IDs are issued to a single individual or if two individuals are issued the same PSU ID, the University office discovering the duplicate or multiple must contact the Data Stewards and after verification of the multiple assignment, the records will be merged or separated and the individual or individuals notified of which PSU ID will be valid in the future.

    REPLACEMENT OF PSU ID:

    If an assigned PSU ID has been compromised and used fraudulently, an individual may request a new PSU ID number subject to the review and approval of the Chief Privacy Officer.

    PSU ID AND PENN STATE id+ CARD:

    The PSU ID is printed on the Penn State id+ card so that individuals have a permanent record of their PSU ID for reference purposes. Individuals issued id+ cards will be expected to keep the card secure. The id+ Card has a brief disclosure statement on the back of the card regarding the individual's responsibility for keeping the card and the PSU ID secure: If an id+ card must be replaced, the PSU ID will remain the same, but a new id+ card number will be issued.

    Policy AD24 governs the issuance of id+ cards, and not all individuals assigned a PSU ID will receive an id+ card.

    CROSS REFERENCES:

    Other Policies in this manual should also be referenced, especially the following:

    AD11 - University Policy on Confidentiality of Student Records

    AD22 - Health Insurance Portability and Accountability Act (HIPAA)

    AD24 - Identification Cards

    AD35 - Archives and Records Management

    Additionally consult this student policy:

    Student Policy N-1 - Confidentiality of Student Records


    Effective Date: April 11, 2007
    Date Approved: April 9, 2007
    Date Published: April 10, 2007 (Editorial changes, October 2, 2012)

    Most recent changes:

    Revision History (and effective dates):

    | top of this policy | GURU policy menu | GURU policy search | GURU home | GURU Tech Support | Penn State website |