Text of the Policy
Social Security Number Policy
The following policy was approved and adopted by Craig Bazzani, Vice
President for Administration, Chester S. Gardner, Vice President for
Academic Affairs, and their managment teams in January and February of
2000.
Last update: 3/14/2011
A detailed list of updates to the policy is available.
Social Security Number Policy
Note: Items in Italics are defined in the Definitions section
Objectives
The University of Illinois recognizes that it collects and maintains
confidential information relating to its students, employees, and
individuals associated with the University and is dedicated to ensuring
the privacy and proper handling of this information. This should be
understood as the spirit of this policy statement. The primary purpose
of this Social Security number policy is to ensure that the necessary
procedures and awareness exists to ensure that University employees and
students comply with both the letter and the spirit of the Family
Educational Rights and Privacy Act and the Privacy Act of 1974. The
University is guided by the following objectives:
- Broad awareness of the confidential nature of the Social Security number;
- Reduced reliance upon the Social Security number for identification purposes;
- A consistent policy towards and treatment of Social Security numbers throughout the University; and
- Increased confidence by students and employees that Social Security numbers are handled in a confidential manner.
- To ensure compliance with the Illinois Identity Protection Act
I.Guidelines / Regulations
I.1.Each campus, including University Administration, will assign to
an existing administrator the responsibility of overseeing Social
Security number usage on his or her campus. These administrators control
the Social Security number and their approval will be required to use
the Social Security number in any new electronic system. Specific
responsibilities are spelled out in the Implementation section below
(II.1). Each campus is free to choose an administrator that best fits
its individual administrative model. The University Administration
administrator will represent University Administration and provide an
institutional perspective to all dialog between these administrators.
I.2.A University wide Unique Identification Number (UIN) will be
assigned to all students, employees, and other associated individuals,
such as contractors or consultants. This UIN will be assigned at the
earliest possible point of contact between the individual and the
University. The UIN will be used in all future electronic and paper data
systems to identify, track, and service individuals associated with the
University. It will be permanently and uniquely associated with the
individual to whom it is originally assigned.
I.2.1.The UIN will be considered the property of the University of
Illinois, and its use and governance shall be at the discretion of the
University, within the parameters of the law;
I.2.2.The UIN will be maintained and administered in accordance with
the University of Illinois policy on the University Identification
Number
I.2.3.The UIN will be a component of a system that provides a
mechanism for the identification of individuals but will not be used for
authentication or as a password;
I.2.4.The UIN may not be used for any part of a login.
I.3.The University of Illinois will adopt a phased compliance
strategy with the goal of attaining complete compliance with this policy
statement within five years of its adoption (see section II.4).
I.4.Grades and other pieces of personal information will not be
publicly posted or displayed in a manner where either the UIN or Social
Security number identifies the individual associated with the
information.
I.5.Social Security numbers will be electronically transmitted only through encrypted mechanisms.
I.6.All University forms and documents that collect Social Security
numbers will use the language included below (II.2) and will indicate
whether request is voluntary or mandatory. Forms and documents will be
modified on an as reprinted basis with full compliance by fall 2002.
I.7.Paper and electronic documents containing Social Security numbers will be disposed of in a secure fashion.
I.8.Except where the University is legally required to collect a
Social Security number, individuals will not be required to provide
their Social Security number, verbally or in writing, at any point of
service, nor will they be denied access to those services should they
refuse to provide a Social Security number. However, individuals may
volunteer their Social Security number if they wish as an alternate
means of locating a record.
I.9.Social Security numbers will be released by the University to entities outside the University only
I.9.1.As allowed by law;
OR
I.9.2.When permission is granted by the individual; OR
I.9.3.When the external entity is acting as the University's
contractor or agent and adequate security measures are in place to
prevent unauthorized dissemination to third parties; OR
I.9.4.When Legal Counsel has approved the release.
The Social Security Number Coordinators will maintain the list of approved entities.
I.10.The Social Security number may continue to be stored as a
confidential attribute associated with an individual. The Social
Security number will be used as
I.10.1.Allowed by law;
I.10.2.A key to identify individuals for whom a UIN is not known.
I.11.This policy does not preclude, if a primary means of
identification is unavailable, University of Illinois employees from
using the Social Security number as needed during the execution of their
duties. The other aspects of this policy statement bind such usage.
I.12.Social Security numbers will only be collected in circumstances where the collection is mandated by a government agency.
I.13.Individuals that are identified as having access to SSNs in the
course of performing their duties must be provided with training
materials on the proper handling of SSNs.
I.14.Only employees that are authorized by the Social Security Number Coordinators are permitted to have access to SSNs.
II.Implementation
II.1.Each campus Social Security number office will have the responsibility to:
II.1.1.Oversee and ensure the implementation of this policy statement;
II.1.2.Provide support, guidance, and problem resolution for offices working with Social Security numbers;
II.1.3.Serve as an intermediary between campus units and University
Legal Counsel when an opinion on the release or exchange of Social
Security numbers is required;
II.1.4.Maintain a list of entities, approved by Legal Counsel, to which Social Security numbers may be released;
II.1.5.Coordinate with the other campus Social Security number
offices to create an electronic system to function as the central
distribution mechanism for information pertaining to Social Security
number usage at the University;
II.1.6.Coordinate with the other campus Social Security number
offices to produce a University-wide educational program to train
employees on the handling of Social Security numbers and make students
aware of their rights and responsibilities with regard to Social
Security numbers;
II.1.7.Meet regularly to resolve differences in implementation
procedure to ensure uniformity across the University in implementation
details, and an adherence to the spirit of this policy statement;
II.1.8.Authorize the use of Social Security numbers in all electronic
systems. Systems collecting, storing, or using Social Security numbers
must receive explicit permission to do so from the appropriate SSN
Coordinator. Business cases supporting such requests must include the
legal or functional requirement for using the SSN, detailed descriptions
of the security precautions planned for such systems, and how prepared
the unit is to cover the costs for any potential data breach. Units
should assume a breach cost of $75 for each SSN stored by the proposed
system.
II.2.All University forms and documents that collect Social Security
numbers will use the language included below. It is understood that this
language will be implemented on an ‘as reprinted' basis for existing
paperwork, with a full compliance date of fall 2002. If situations arise
in which the following statements are not appropriate, the
administrators described in section I.1 will work with Legal Counsel to
provide an appropriate alternative statement.
II.2.1.1.Student
"Use of Student Social Security numbers: Furnishing a Social Security
number (SSN) is voluntary and not required for enrollment. However, the
University of Illinois is required by federal law to report to the
Internal Revenue Service (IRS) the name, address and SSN for persons
from whom tuition and related expenses are received. Federal law also
requires the University to obtain and report to the IRS the SSN for any
person to whom compensation is paid. Failure to provide such information
may delay or even prevent your enrollment. The University will not
disclose a SSN for any purpose not required by law without the consent
of the student."
II.2.1.2.Employee
"Use of Employee Social Security numbers: The University of Illinois
is required by federal law to report income along with Social Security
numbers (SSNs) for all employees to whom compensation is paid. Employee
SSNs are maintained and used by the University for payroll, reporting
and benefits purposes and are reported to federal and state agencies in
formats required by law or for benefits purposes. The University will
not disclose an employee's SSN without the consent of the employee to
anyone outside the University except as mandated by law or required for
benefit purposes."
II.2.1.3.General Statement for student handbooks and course timetables
"The University of Illinois is committed to protecting the privacy of
its students, employees, and alumni, as well as other individuals
associated with it. At times the University will ask you for your Social
Security number. Federal and state law requires the collection of your
Social Security number for certain purposes such as those relating to
employment and student loans. Whenever your Social Security number is
requested the electronic or physical form used to collect your number
will be clearly marked as to whether this request is voluntary or
mandatory.
Why does the University ask for your Social Security number when it
isn't mandatory, such as at enrollment? The University is required by
the IRS to supply them with the name, address, and Social Security
number of every tuition-paying student. The IRS relies on these lists to
certify education related tax credits. The University cannot provide
the IRS with this information without a valid Social Security number.
Consequently, if you intend to take advantage of any education related
deductions it is important that the University have a valid Social
Security number for you.
Further, the University is required to have a valid Social Security
number before an individual can entered into any business system
involving financial transactions. Thus without your Social Security
number the University cannot grant an assistantship, waiver, or provide
employment. Providing the University with your Social Security number in
advance is the safest way to ensure that these services are available
with the least delay.
Finally, many of the University's legacy computer systems (those
built before the creation of the I-Card) rely on the Social Security
number to track students academic and financial records. Supplying a
valid Social Security number helps the University maintain these records
as accurately as possible.
Social Security numbers collected by the University may be used in a variety of ways, such as but not limited to the following.
1.To identify such student records as applications for admission,
registration-related documents, grade reports, transcript and
certification request, medical immunization records, student financial
records, financial aid records, and permanent academic records;2.To
determine eligibility, certify school attendance, and report student
status;3.To use as an identifier for grants, loans, and other financial
aid programs; and4.To identify and track employment or medical records.
The University of Illinois is working to minimize the use of Social
Security numbers within its business processes. The Social Security
number will not be disclosed to individuals or agencies outside the
University of Illinois except as allowed by law or with permission from
the individual. This statement was created for informational purposes
only and may be amended or altered. For a full description of the
University of Illinois' Social Security number policy, please visit
http://www.ssn.uillinois.edu."
II.3.Administrative Information Technology Services (AITS) in
conjunction with the campus Social Security number offices will, as part
of its data management strategy, develop a set of guidelines addressing
the handling of Social Security numbers in electronic systems.
Adherence to these guidelines in all future development will be
considered a requirement of this policy statement. These guidelines will
explicitly address:
II.3.1.The display of Social Security numbers on computer terminals, screens, and reports;
II.3.2.The security protocol required to access Social Security
numbers when they are included in part of an electronic database;
II.3.3.Alternate mechanisms for integrating data other than the use of Social Security number;
II.3.4.The legal requirement to maintain confidentiality of the
Social Security numbers imposed by the Family Educational Rights and
Privacy Act and the Privacy Act of 1974;
II.3.5.Obtaining permission to include the Social Security number in a system from the administrator designated in section I.1.
II.4.Phased Compliance Strategy Timetable
II.4.1.Phase I generally consists of approving this policy, creating
responsible offices, and broadly educating University personnel about
Social Security number collection and usage; specifically phase I is the
implementation or adoption of sections I.1, I.3, I.4, I.6, I.8, I.9,
I.10, I.11, II.1, and II.3 of this policy statement.
II.4.2.Phase II prioritizes systems and services out of compliance,
and begins remediating or replacing these; specifically phase II
includes the definition and development of the infrastructure necessary
to implement sections I.2, I.5, I.7, and I.12.
II.4.3.Phase III completes remediation or replacement of systems out
of compliance, and monitors and supports existing or developing systems
and procedures. Phase III will be complete when every section of this
policy statement has been implemented or adopted.
III.Enforcement
III.1.On each campus, the Social Security number office will be responsible for monitoring compliance with this policy.
III.2.An employee or student who has substantially breached the
confidentiality of Social Security numbers may be subject to
disciplinary action or sanctions up to and including discharge or
dismissal in accordance with University and Campus policy and
procedures.
IV.Definitions
IV.1.FERPA - Family Educational Rights and Privacy Act.
IV.2.Phased Compliance Strategy – A strategy that attempts to define a multi-tiered approach to achieving compliance.
IV.3.Point of Service - a physical or electronic interaction between
the University and either its employees, students or other individuals,
during which the University provides physical, educational,
informational, or electronic services to the individual.
IV.4.Secure Fashion – In the context of the destruction of paper and
electronic documents, this refers to a method that defeats both casual
and deliberate attempts at theft, e.g., the shredding of documents
containing Social Security numbers and the use of ‘confidential'
recycling bins. For electronic documents this refers to explicit
deletion or storage on a device protected by a password based security
system.