Guideline ADG08 COLLECTION, STORAGE AND AUTHORIZED USE OF SOCIAL SECURITY NUMBERS AND PENN STATE IDENTIFICATION NUMBERS

Policy Steward: Vice President for Administration

Contents:

  • Purpose
  • Applicability
  • Use of the Social Security Number
  • Collection of Social Security Numbers Within University Records
  • Disclosure Statements
  • Central Identification Repository (CIDR)
  • Data Stewards
  • Social Security Numbers Within Historical Records
  • Security and Privacy of Social Security Numbers
  • Penn State Identification Number (PSUID)
  • General Information
  • Assignment of the PSUID
  • Constituent Groups
  • Initial Assignment of the PSUID
  • Duplicate or Multiple PSUIDs
  • Replacement of the PSUID
  • PSUID and Penn State id+ Card
  • Further Information
  • Cross References

  • PURPOSE:

    This Guideline provides amplifying information related to policy AD53, with regard to specific uses of Social Security Numbers (SSNs) and Penn State Identification Numbers (PSUID) within the University. This Guideline also establishes expectations around the collection and use of SSNs, which is sensitive data whose misuse poses privacy risks to individuals, and compliance and reputational risks to the University.  It also calls on anyone associated with the University to inventory their online and offline SSNs and reduce these risks by: (1) eliminating the use of SSNs; (2) converting SSN to PSUID; (3) when necessary, truncating SSNs to capture and display only the last four digits; and (4) when the complete SSN is clearly necessary, ensuring strict security controls to protect the information.

    APPLICABILITY:

    This Guideline is applicable to all members of The Pennsylvania State University community including but not limited to faculty, staff, contractors and their respective agents. This Guideline is also applicable at all University locations and for all University operations, with the exception of the operations conducted at or as part of the programs of the Pennsylvania College of Technology. The Pennsylvania College of Technology has its own policy regarding the use of SSNs within its systems.  However, its policy must provide compatibility with ISIS (Integrated Student Information System) and IBIS (Integrated Business Information System), as necessary.

    The information subject to this Guideline includes SSNs collected and maintained as part of University operations. For example, the handling of one's own SSN, or SSNs of family members, separate and apart from University operations is not subject to this policy, though many of the measures contained in this policy are recommended as a matter of best practice for such situations.

    USE OF THE SOCIAL SECURITY NUMBER:

    SSNs should not be used as a primary identifier in a University system. It is the responsibility of individuals subject to this Guideline to use best efforts to know and inventory where they are maintaining SSNs and to make best efforts to securely delete, convert, truncate, or secure such information.

    COLLECTION OF SOCIAL SECURITY NUMBER WITHIN UNIVERSITY RECORDS:

    The following outlines specific instances in which SSNs may be requested or required by University offices. Even these areas must request a written authorization from the Privacy Officer if the SSN is to be stored electronically anywhere other than the University's Central ID Repository (CIDR). The primary uses and reasons for collecting a SSN should be limited and include the following:

    The SSN may also be released to entities outside the University where required by federal or state law, regulation or procedure, or if the individual grants permission.

    In addition, per University Policy AD53, University systems, regardless of the category of data maintained, must be scanned for Personally Identifiable Information (PII) using University-approved scanning procedures. Please see the following resource for specific guidance and direction as to current University approved scanning procedures.

    DISCLOSURE STATEMENTS:

    It is strongly recommended that University offices adopt the use of a standard disclosure statement on forms requesting SSNs from prospective students and on forms where services are requested that require SSNs.

    CENTRAL IDENTIFICATION REPOSITORY (CIDR):

    SSNs are secured in a Central Identification Repository (CIDR) with limited and encrypted (secure) access rights. Those offices that require the storage of SSNs within their systems rather than in CIDR must have written permission from the University's Privacy Officer to store the SSN outside CIDR. Crosswalk files that cross-reference PSUIDs to SSNs are prohibited with the exception of CIDR, unless approved by the Privacy Officer. Authorization requests can be made at privacy@psu.edu.

    The data within CIDR is University data and will be available only to those authorized to view data within CIDR. The data within CIDR may not be used by any office for purposes of data mining.

    In certain cases, collection of an individual's SSN may have additional privacy considerations (e.g. the information collected may only be used within the scope of the project for which it was collected). Those cases will be reviewed with the Privacy Officer to determine the appropriate handling.

    DATA STEWARDS:

    The Corporate Controller's Office has assigned Data Stewards who are responsible for the control of PSUIDs, SSNs and other data elements in the Central Identification Repository (CIDR). Mandatory data elements are defined under the authority of the Vice Provost for Information Technology, and administered by the ITS Identity Services Unit, per University Policy AD80, Identity and Access Management (IAM).

    SOCIAL SECURITY NUMBERS WITHIN HISTORICAL RECORDS:

    SSNs may be a part of historical databases or imaged documents given past use as the primary identifier at the University. The University will make a good faith effort to convert all on-line databases and information containing SSNs to PSUIDs. Individuals subject to these guidelines should use best efforts to know and inventory where they are maintaining SSNs and to make best efforts to securely delete, convert, truncate, or secure such information.

    An inventory and identification of SSNs should be conducted as follows:

    1. Inventory SSNs by reviewing hard copy documents, including reports from information systems that contain SSNs.
    2. Identify electronic files that contain SSNs on computers including files stored in applications and databases.
    3. Identify vendors, contractors, or agents with whom you are working or who work with SSNs of the University as part of a University sponsored activity.

    In cases where complete SSNs are not necessary, and the retention of such information is not required, SSNs that have been identified should be addressed as follows:

    1. Securely destroy the information. Paper records may be securely destroyed by utilizing shredding services. Recycling of paper records containing SSNs is prohibited.
    2. Electronic information may be securely destroyed using secure individual file deletion or secure disk wipe utilities.
    3. Convert information to PSUID or other identifier. 
    4. Collect, maintain, and display only the last four digits of SSN. Truncated SSNs, while still carrying some risk, are generally less harmful to individuals from a privacy perspective as compared to complete SSNs.

    The University's Information Technology Services Office, Office of Information Security or local IT staff can be consulted when employing the above guidelines.  Disposal of the records must be done securely and in accordance with Policy AD35, University Archives and Records Management.  If, however, the database, record or document is subject to a litigation hold, please contact the Office of General Counsel before proceeding.

    Securing Complete SSNs - In some cases, the maintenance of a complete SSN is necessary to comply with legal requirements or other business or IT processes that have not yet converted from SSN usage. In such cases, this sensitive data should adhere to the security standards, below.

    SECURITY AND PRIVACY OF SOCIAL SECURITY NUMBERS:

    If a SSN is collected for a student, employee, or other constituent, it will be stored as a private data element for that individual within the Central Identification Repository (CIDR) (with the exception of SSNs collected as taxpayer IDs within the IBIS accounts payable system, which will be stored as part of the vendor record). The University will take all necessary and reasonable precautions to protect the SSN for all individuals who provide it. Please note, however, that the SSN must be available to authorized University employees if required to complete the business of the University. Any storage of an SSN outside of CIDR under authorization from the Privacy Office and as an exception to policy shall conform with the following requirements.

    On-Line:

    Off-Line:

    Need to Know Access - Access to SSNs must be restricted to individuals with a need to know for University functions to proceed.

    Restrictions on Transmission - SSNs may not be sent over any network in plain text (unencrypted), including e-mail.

    Use by Third Parties - SSNs will be released by the University to entities outside the University only when (1) permission is granted by the individual; (2) the external entity is acting as a University's contractor or agent and the University has made reasonable efforts to ensure that the entity has adequate security measures in place to protect the data from unauthorized access; (3) as approved by the Office of Audit, Compliance and Privacy; or (4) as required by law.

    PENN STATE IDENTIFICATION NUMBER (PSUID):

    General Information:

    A Penn State Identification Number or PSUID is assigned to individuals and is used as the primary identifier in the University's administrative and academic systems. The PSUID is a nine digit number, beginning with 9 in the following format: 9-XXXX-XXXX.

    The following apply to all individuals assigned a PSUID:

    Assignment of the PSUID

    CONSTITUENT GROUPS:

    There are three major groups to whom PSUIDs are assigned - students, employees and other entities - and different guidelines apply to each.

    INITIAL ASSIGNMENT OF THE PSUID:

    Only after determining that an individual does not have an existing PSUID will a new PSUID be assigned. The Data Stewards authorize which areas of the University will have the authority to establish a PSUID for an individual, if one does not already exist. Assigning a PSUID will require certain minimum information about the individual as prescribed by the Data Steward. Those offices assigning PSUIDs must notify constituents of their new PSUID in a timely manner.

    DUPLICATE OR MULTIPLE PSUID:

    If multiple PSUIDs are issued to a single individual, or, if two individuals are issued the same PSUID, the University office discovering such errata must contact the Data Stewards and, after verification of the duplicate and/or multiple assignment, the records will be merged or separated and the individual or individuals involved will be notified of which PSUID will be valid in the future.

    REPLACEMENT OF PSUID:

    Any compromise or fraudulent use of a PSUID must be reported to the Privacy Office upon discovery. If an assigned PSUID has been compromised and used fraudulently, a new PSUID number may be issued by the ITS Identity Services Unit. Questions regarding the policy or its interpretations with respect to PSUID are subject to the review and approval of the Privacy Office.

    PSUID AND PENN STATE id+ CARD:

    The PSUID is printed on the Penn State id+ card so that individuals have a permanent record of their PSUID for reference purposes. Individuals issued id+ cards will be expected to keep the card secure. The id+ Card has a brief disclosure statement on the back of the card regarding the individual's responsibility for keeping the card and the PSUID secure. If an id+ card must be replaced, the PSUID will remain the same, but a new id+ card number will be issued.

    Policy AD24 governs the issuance of id+ cards. Please note that not all individuals assigned a PSUID will receive an id+ card.

    FURTHER INFORMATION:

    For questions, additional detail, or to request changes to this guideline, please contact the Privacy Office.

    CROSS REFERENCES:

    Other Policies should also be referenced, especially:

    AD11 - University Policy on Confidentiality of Student Records

    AD22 - Health Insurance Portability and Accountability Act (HIPAA)

    AD24 - Identification Cards

    AD35 - Archives and Records Management

    AD53 - Privacy Policy (formerly Privacy Statement)

    AD80 - Identity and Access Management (IAM)


    Effective Date: February 22, 2016
    Date Approved: February 22, 2016
    Date Published: February 22, 2016

    Most recent changes:

    Revision History (and effective dates):

    | top of this policy | GURU policy menu | GURU policy search | GURU home | GURU Tech Support | Accessibility Statement | Penn State website |