The Identity Protection Act (5 ILCS 179) (IPA) is an Illinois state law that became effective June 1, 2010, seeking to control the collection and use of Social Security Numbers by state and local government agencies. The Act specifically prohibits certain uses of Social Security Numbers at public institutions and agencies, creates collection and protection requirements, and also requires state agencies (such as the University of Illinois) to enact an identity protection policy for public view and for employees working with Social Security Numbers (SSNs).
As part of the Act, the State requires that all employees who have access to Social Security Numbers in the course of performing their duties be trained to protect the confidentiality of Social Security Numbers from the time of collection through the destruction of the information. Early in the year 2000, the University of Illinois (UI) adopted a formal policy related to the collection, maintenance, and distribution of Social Security Numbers. The UI Social Security Number Policy (including detailed information pertaining to the IPA) is online at the University’s SSN website.
Employees required to use SSNs and/or work with documents that include SSNs must be authorized to have access to them by their Dean, Director or Department Head (DDDH) or designee. In accordance with University data classification guidelines, SSNs are High Risk data whether collecting, using, or destroying them.
The University’s SSN website provides detailed information for handling SSNs. If you have any questions, concerns, and comments on handling SSNs, please send email to the University’s SSN Coordinators.
NO person, or state or local government agency may do the following:
Under the Act, SSNs may NOT be collected, used, or disclosed unless:
Those requirements have several exceptions:
If the state agency collects Social Security Numbers and uses them on forms/documents that might be subject to public inspection and copying (e.g., FOIA requests), then the state agency must redact the Social Security Numbers BEFORE the public inspection and copying takes place.
Under the Act, Social Security Numbers may not be embedded in cards or other devices through chip, magnetic strip, RFID, or other technologies. For example, an employee's SSN cannot be stored on the magnetic strip found on an i-Card.
Social Security Numbers are classified as high risk data and need to be protected through the life cycle. Below is a short list of concerns / guidance for handling SSN data.
- If collecting SSNs, do you have an approved disclosure statement?
- Is the data being created in a secure location?
- Are you creating multiple copies?
- Do you really need to copy the data or is access sufficient?
- Are you transferring the data securely?
- Are you authorized to transfer the data?
- Is the person who is receiving the data authorized to have it?
- Can your document be protected with a password?
– Secure data so only authorized people can access it
– Encrypt data (especially on portable devices)
– Paper documents with sensitive information should be shredded using a cross-cut shredder.
– Securely erase data on digital media
The Urbana campus provides training on working with sensitive data. Additional information can be found at https://security.illinois.edu/content/sensitive-data-orientations
Please send questions, concerns, and comments to the UI SSN Coordinators.