Text of the Policy

Social Security Number Policy

The following policy was approved and adopted by Craig Bazzani, Vice President for Administration, Chester S. Gardner, Vice President for Academic Affairs, and their managment teams in January and February of 2000.

Last update: 3/14/2011
A detailed list of updates to the policy is available.

Social Security Number Policy

Note: Items in Italics are defined in the Definitions section

 

Objectives

The University of Illinois recognizes that it collects and maintains confidential information relating to its students, employees, and individuals associated with the University and is dedicated to ensuring the privacy and proper handling of this information. This should be understood as the spirit of this policy statement. The primary purpose of this Social Security number policy is to ensure that the necessary procedures and awareness exists to ensure that University employees and students comply with both the letter and the spirit of the Family Educational Rights and Privacy Act and the Privacy Act of 1974. The University is guided by the following objectives:

1. Broad awareness of the confidential nature of the Social Security number;
2. Reduced reliance upon the Social Security number for identification purposes;
3. A consistent policy towards and treatment of Social Security numbers throughout the University; and
4. Increased confidence by students and employees that Social Security numbers are handled in a confidential manner.
5. To ensure compliance with the Illinois Identity Protection Act

 

I.Guidelines / Regulations

I.1.Each campus, including University Administration, will assign to an existing administrator the responsibility of overseeing Social Security number usage on his or her campus. These administrators control the Social Security number and their approval will be required to use the Social Security number in any new electronic system. Specific responsibilities are spelled out in the Implementation section below (II.1). Each campus is free to choose an administrator that best fits its individual administrative model. The University Administration administrator will represent University Administration and provide an institutional perspective to all dialog between these administrators.

I.2.A University wide Unique Identification Number (UIN) will be assigned to all students, employees, and other associated individuals, such as contractors or consultants. This UIN will be assigned at the earliest possible point of contact between the individual and the University. The UIN will be used in all future electronic and paper data systems to identify, track, and service individuals associated with the University. It will be permanently and uniquely associated with the individual to whom it is originally assigned.

I.2.1.The UIN will be considered the property of the University of Illinois, and its use and governance shall be at the discretion of the University, within the parameters of the law;

I.2.2.The UIN will be maintained and administered in accordance with the University of Illinois policy on the University Identification Number

I.2.3.The UIN will be a component of a system that provides a mechanism for the identification of individuals but will not be used for authentication or as a password;

I.2.4.The UIN may not be used for any part of a login.

I.3.The University of Illinois will adopt a phased compliance strategy with the goal of attaining complete compliance with this policy statement within five years of its adoption (see section II.4).

I.4.Grades and other pieces of personal information will not be publicly posted or displayed in a manner where either the UIN or Social Security number identifies the individual associated with the information.

I.5.Social Security numbers will be electronically transmitted only through encrypted mechanisms.

I.6.All University forms and documents that collect Social Security numbers will use the language included below (II.2) and will indicate whether request is voluntary or mandatory. Forms and documents will be modified on an as reprinted basis with full compliance by fall 2002.

I.7.Paper and electronic documents containing Social Security numbers will be disposed of in a secure fashion.

I.8.Except where the University is legally required to collect a Social Security number, individuals will not be required to provide their Social Security number, verbally or in writing, at any point of service, nor will they be denied access to those services should they refuse to provide a Social Security number. However, individuals may volunteer their Social Security number if they wish as an alternate means of locating a record.

I.9.Social Security numbers will be released by the University to entities outside the University only

I.9.1.As allowed by law;

OR

I.9.2.When permission is granted by the individual; OR

I.9.3.When the external entity is acting as the University's contractor or agent and adequate security measures are in place to prevent unauthorized dissemination to third parties; OR

I.9.4.When Legal Counsel has approved the release.

The Social Security Number Coordinators will maintain the list of approved entities.

I.10.The Social Security number may continue to be stored as a confidential attribute associated with an individual. The Social Security number will be used as

I.10.1.Allowed by law;

I.10.2.A key to identify individuals for whom a UIN is not known.

 

I.11.This policy does not preclude, if a primary means of identification is unavailable, University of Illinois employees from using the Social Security number as needed during the execution of their duties. The other aspects of this policy statement bind such usage.

I.12.Social Security numbers will only be collected in circumstances where the collection is mandated by a government agency.

I.13.Individuals that are identified as having access to SSNs in the course of performing their duties must be provided with training materials on the proper handling of SSNs.

I.14.Only employees that are authorized by the Social Security Number Coordinators are permitted to have access to SSNs.

 

II.Implementation

II.1.Each campus Social Security number office will have the responsibility to:

II.1.1.Oversee and ensure the implementation of this policy statement;

II.1.2.Provide support, guidance, and problem resolution for offices working with Social Security numbers;

II.1.3.Serve as an intermediary between campus units and University Legal Counsel when an opinion on the release or exchange of Social Security numbers is required;

II.1.4.Maintain a list of entities, approved by Legal Counsel, to which Social Security numbers may be released;

II.1.5.Coordinate with the other campus Social Security number offices to create an electronic system to function as the central distribution mechanism for information pertaining to Social Security number usage at the University;

II.1.6.Coordinate with the other campus Social Security number offices to produce a University-wide educational program to train employees on the handling of Social Security numbers and make students aware of their rights and responsibilities with regard to Social Security numbers;

II.1.7.Meet regularly to resolve differences in implementation procedure to ensure uniformity across the University in implementation details, and an adherence to the spirit of this policy statement;

II.1.8.Authorize the use of Social Security numbers in all electronic systems. Systems collecting, storing, or using Social Security numbers must receive explicit permission to do so from the appropriate SSN Coordinator. Business cases supporting such requests must include the legal or functional requirement for using the SSN, detailed descriptions of the security precautions planned for such systems, and how prepared the unit is to cover the costs for any potential data breach. Units should assume a breach cost of $75 for each SSN stored by the proposed system.

II.2.All University forms and documents that collect Social Security numbers will use the language included below. It is understood that this language will be implemented on an ‘as reprinted' basis for existing paperwork, with a full compliance date of fall 2002. If situations arise in which the following statements are not appropriate, the administrators described in section I.1 will work with Legal Counsel to provide an appropriate alternative statement.

II.2.1.1.Student

"Use of Student Social Security numbers: Furnishing a Social Security number (SSN) is voluntary and not required for enrollment. However, the University of Illinois is required by federal law to report to the Internal Revenue Service (IRS) the name, address and SSN for persons from whom tuition and related expenses are received. Federal law also requires the University to obtain and report to the IRS the SSN for any person to whom compensation is paid. Failure to provide such information may delay or even prevent your enrollment. The University will not disclose a SSN for any purpose not required by law without the consent of the student."

II.2.1.2.Employee

"Use of Employee Social Security numbers: The University of Illinois is required by federal law to report income along with Social Security numbers (SSNs) for all employees to whom compensation is paid. Employee SSNs are maintained and used by the University for payroll, reporting and benefits purposes and are reported to federal and state agencies in formats required by law or for benefits purposes. The University will not disclose an employee's SSN without the consent of the employee to anyone outside the University except as mandated by law or required for benefit purposes."

II.2.1.3.General Statement for student handbooks and course timetables

"The University of Illinois is committed to protecting the privacy of its students, employees, and alumni, as well as other individuals associated with it. At times the University will ask you for your Social Security number. Federal and state law requires the collection of your Social Security number for certain purposes such as those relating to employment and student loans. Whenever your Social Security number is requested the electronic or physical form used to collect your number will be clearly marked as to whether this request is voluntary or mandatory.

Why does the University ask for your Social Security number when it isn't mandatory, such as at enrollment? The University is required by the IRS to supply them with the name, address, and Social Security number of every tuition-paying student. The IRS relies on these lists to certify education related tax credits. The University cannot provide the IRS with this information without a valid Social Security number. Consequently, if you intend to take advantage of any education related deductions it is important that the University have a valid Social Security number for you.

Further, the University is required to have a valid Social Security number before an individual can entered into any business system involving financial transactions. Thus without your Social Security number the University cannot grant an assistantship, waiver, or provide employment. Providing the University with your Social Security number in advance is the safest way to ensure that these services are available with the least delay.

Finally, many of the University's legacy computer systems (those built before the creation of the I-Card) rely on the Social Security number to track students academic and financial records. Supplying a valid Social Security number helps the University maintain these records as accurately as possible.

Social Security numbers collected by the University may be used in a variety of ways, such as but not limited to the following.

1.To identify such student records as applications for admission, registration-related documents, grade reports, transcript and certification request, medical immunization records, student financial records, financial aid records, and permanent academic records;2.To determine eligibility, certify school attendance, and report student status;3.To use as an identifier for grants, loans, and other financial aid programs; and4.To identify and track employment or medical records.

The University of Illinois is working to minimize the use of Social Security numbers within its business processes. The Social Security number will not be disclosed to individuals or agencies outside the University of Illinois except as allowed by law or with permission from the individual. This statement was created for informational purposes only and may be amended or altered. For a full description of the University of Illinois' Social Security number policy, please visit http://www.ssn.uillinois.edu."

II.3.Administrative Information Technology Services (AITS) in conjunction with the campus Social Security number offices will, as part of its data management strategy, develop a set of guidelines addressing the handling of Social Security numbers in electronic systems. Adherence to these guidelines in all future development will be considered a requirement of this policy statement. These guidelines will explicitly address:

II.3.1.The display of Social Security numbers on computer terminals, screens, and reports;

II.3.2.The security protocol required to access Social Security numbers when they are included in part of an electronic database;

II.3.3.Alternate mechanisms for integrating data other than the use of Social Security number;

II.3.4.The legal requirement to maintain confidentiality of the Social Security numbers imposed by the Family Educational Rights and Privacy Act and the Privacy Act of 1974;

II.3.5.Obtaining permission to include the Social Security number in a system from the administrator designated in section I.1.

II.4.Phased Compliance Strategy Timetable

II.4.1.Phase I generally consists of approving this policy, creating responsible offices, and broadly educating University personnel about Social Security number collection and usage; specifically phase I is the implementation or adoption of sections I.1, I.3, I.4, I.6, I.8, I.9, I.10, I.11, II.1, and II.3 of this policy statement.

II.4.2.Phase II prioritizes systems and services out of compliance, and begins remediating or replacing these; specifically phase II includes the definition and development of the infrastructure necessary to implement sections I.2, I.5, I.7, and I.12.

II.4.3.Phase III completes remediation or replacement of systems out of compliance, and monitors and supports existing or developing systems and procedures. Phase III will be complete when every section of this policy statement has been implemented or adopted.

 

III.Enforcement

III.1.On each campus, the Social Security number office will be responsible for monitoring compliance with this policy.

III.2.An employee or student who has substantially breached the confidentiality of Social Security numbers may be subject to disciplinary action or sanctions up to and including discharge or dismissal in accordance with University and Campus policy and procedures.

 

IV.Definitions

IV.1.FERPA - Family Educational Rights and Privacy Act.

IV.2.Phased Compliance Strategy – A strategy that attempts to define a multi-tiered approach to achieving compliance.

IV.3.Point of Service - a physical or electronic interaction between the University and either its employees, students or other individuals, during which the University provides physical, educational, informational, or electronic services to the individual.

IV.4.Secure Fashion – In the context of the destruction of paper and electronic documents, this refers to a method that defeats both casual and deliberate attempts at theft, e.g., the shredding of documents containing Social Security numbers and the use of ‘confidential' recycling bins. For electronic documents this refers to explicit deletion or storage on a device protected by a password based security system.