PPP-68

EAST TENNESSEE STATE UNIVERSITY
SECTION:    PPP-68
SUBJECT:    Social Security Number Policy

East Tennessee State University (ETSU) recognizes that it collects and maintains confidential information relating to its students, employees, and individuals associated with the University and is dedicated to ensuring the privacy and proper handling of this information. This should be understood as the spirit of this policy statement.

The primary purpose of this Social Security number policy is to establish the necessary procedures and awareness to ensure that University employees and students comply with both the letter and the spirit of the federal and state laws governing and restricting requests for and uses of Social Security numbers.  The University is guided by the following objectives:

1. Broad awareness of the confidential nature of the Social Security number;
2. Reduced reliance upon the Social Security number for identification purposes;
3. A consistent policy towards and treatment of Social Security numbers throughout the University; and
4. Increased confidence by students and employees that Social Security numbers are handled in a confidential manner.

Contents

I. Policy/Regulations

   A. ETSU ID Number

   B. Posting Grades and Personal Information

   C. Social Security Number Transmission

   D. Language for University Forms

   E. Documentation Retention

   F. Social Security Number Provision Requirements

   G. Release of Social Security Numbers

   H. Storage of Social Security Numbers

   I. Social Security Number Access

   J. Confidentiality of Social Security Numbers

   K. Non-prohibition of Legal Use

   L. Non-prohibition of Investigative Use

II. Enforcement

   A. Compliance Oversight

   B. Disciplinary Action

I. Policy/Regulations

A. ETSU ID Number

An ETSU ID Number (EUID) will be assigned to all students and employees.  It will be uniquely associated with the individual to whom it is assigned. The EUID will be used in all future electronic and paper data systems to identify, track, and service individuals associated with the University, except in cases where use of the Social Security number is mandated by federal or state law.

1. the EUID will be considered the property of East Tennessee State University, and its use and governance shall be at the discretion of the University, within the parameters of the law.

2. the EUID will be created and maintained by authorized personnel as designated by the Vice-Presidents over the Human Resources, Finance, Student Admissions, Financial Aid, and Advancement Offices

3. the EUID will be a component of a system that provides a mechanism for both the identification of individuals and a method of authentication.

B. Posting Grades and Personal Information

Grades and other pieces of personal information will not be publicly posted or displayed in a manner where use of all or part of the EUID or Social Security number (including use of the last few digits of the Social Security number) identifies the individual associated with the information.

C. Social Security Number Transmission

Social Security numbers will be electronically transmitted only through encrypted mechanisms.

1 Email systems, in and of themselves, must be considered insecure as a vehicle by which Social Security numbers are transmitted.

2 Files containing Social Security Numbers to be sent via email must be encrypted prior to being attached to the email note

D. Language for University Forms

All University forms and documents that collect Social Security numbers will contain the appropriate language stating the reason for the request and whether the request is voluntary or mandatory. 

E. Documentation Retention

Documents that contain social security numbers shall be properly destroyed when those documents no longer need to be retained pursuant to University document retention policies.   Paper documents containing social security numbers should be shredded.   Electronic documents containing social security numbers should be destroyed in a manner consistent with the “best practices” guidance issued by the Office of Information Technology.   

F. Social Security Number Provision Requirements

Except where the University is legally required to collect a Social Security number, individuals will not be required to provide their Social Security number, verbally or in writing, at any point of service, nor will they be denied access to those services should they refuse to provide a Social Security number.  However, individuals may volunteer their Social Security number as an alternate means of locating an institutional record.

G. Release of Social Security Numbers

Social Security numbers will be released by the University to entities outside the University only:

1. as allowed by law; OR

2. when permission is granted by the individual; OR

3 when the external entity is acting as the University's contractor or agent and adequate security measures are in place to prevent unauthorized dissemination to third parties; OR

4 when University Legal Counsel has approved the release.

H. Storage of Social Security Numbers

The Social Security number may continue to be stored as a confidential attribute associated with an individual.  The Social Security number will be used as:

1. Allowed by law;

2 A key to identify individuals, such as University contractors and agents, for whom a EUID is not known or has not been assigned.

3 A key to identify historical records such as those in payroll/benefits and student records.

I . Social Security Number Access

A ccess to information or documents containing social security numbers will be restricted to employees who have a legitimate University business reason to access such information or documents.   Unit supervisors/unit administrators are responsible for implementing this restriction through appropriate unit training and oversight procedures.

J. Confidentiality of Social Security Numbers

University employees shall maintain the confidentiality of University information and documents containing social security numbers.   University employees shall not do any of the following with the social security number of an employee, student, or other individual:

1. Publicly display the social security number.

2. Use the social security number as an individual’s primary account number unless that use has been approved by the Assistant Vice President for Human Resources or the Associate Provost and Associate Vice President for Academic Human Resources.

3. Visibly print the social security number on any identification badge, membership card, permit, or license.

4. Mail a document containing an individual’s social security number unless it falls within one of the following exceptions:  

a. State or federal law, rule, regulation, or court order or rule authorizes, permits, or requires that the social security number appear in the document.

b. The document is sent as part of an application or enrollment process initiated by the individual.

c. The document is sent to establish, confirm the status of, service, amend, or terminate an account, contract, policy, or employee or health insurance benefit, or to confirm the accuracy of a social security number of an individual who has an account, contract, policy, or employee or health insurance benefit.

d. The document is mailed in connection with an ongoing administrative use to do any of the following:

i. Verify an individual’s identity, identify an individual, or accomplish another similar administrative purpose related to an existing or proposed account, transaction, product, service, or employment.

ii.    Investigate an individual’s claim, credit, criminal, or driving history.

iii.   Detect, prevent, or deter identity theft or another crime.

iv.   Lawfully pursue or enforce the University’s legal rights.

v.    Provide or administer employee or health insurance benefits, claims, or retirement programs.

e. The document is mailed by or at the request of the individual whose social security number appears in the document or at the request of his/her parent or legal guardian.

f. The document is mailed in a manner or for a purpose consistent with the Gramm-Leach-Bliley Act (GLB), Health Insurance Portability and Accountability Act (HIPAA), or the Family Educational Rights and Privacy Act and the Privacy Act of 1974 (FERPA).

g. Other exceptions approved by the Office of General Counsel.

K . Non-prohibition of Legal Use

This Policy does not prohibit the use of social security numbers where the use is authorized or required by state or federal statute, rule, regulation, or court order or rule, or pursuant to legal discovery or process.

L . Non-prohibition of Investigative Use

This Policy also does not prohibit the use of social security numbers by the Department of Police and Public Safety for criminal investigation purposes or the provision of social security numbers to a Title IV-D agency (child support/support orders), law enforcement agency, court, or prosecutor as part of a criminal investigation or prosecution.

II. Enforcement

A. Compliance Oversight

The East Tennessee State University (Director of Compliance) will work to ensure compliance with this policy and to recommend changes if appropriate. Specific responsibilities are spelled out below.  

1. Oversee and ensure the implementation of these guidelines;

2. Provide support, guidance, and problem resolution for offices working with Social Security numbers;

3. Request a legal opinion from University Legal Counsel through the Executive Director of University Compliance on the collection, use or disclosure of Social Security numbers, when the Committee or a campus unit believes such an opinion is needed or would be helpful;

4. Maintain a list of entities, approved by University Legal Counsel, to which Social Security numbers may be released; 

5. Provide information and training to employees and students concerning their rights and responsibilities with regard to the collection, use and disclosure of Social Security numbers;

6. Resolve differences in implementation procedures to ensure uniformity across the University in implementation details, and an adherence to the spirit of this policy statement; 

7. Authorize additional collection and/or uses of Social Security numbers by the University in electronic systems and otherwise, if appropriate.  

B. Disciplinary Action

Employees and students may be subject to disciplinary action, up to and including termination of employment or dismissal from the University for violating this policy, such as by breaching the confidentiality of Social Security numbers.  Any such disciplinary action shall be governed by the regular University policies and procedures applicable to the situation.

Source:  Approved Senior Staff, August 25, 2008.