Approved By: Information Security Oversight Committee in conjunction with the Assistant Vice President of Information Technology
SUNY New Paltz is dedicated to ensuring the privacy and proper handling of the Social Security Numbers (SSNs) of its students, employees, and individuals associated with the College. The primary purpose of this Social Security Number policy is to ensure that the necessary procedures and awareness exist so college employees and students comply with the legal requirements that regulate the handling of this highly confidential data. The purpose of this policy is:
- To protect the privacy and legal rights of the members of the college community
- To generate broad awareness of the confidential nature of the Social Security Number
- To reduce the use of the Social Security Number for identification purposes
- To promote confidence by students and employees that Social Security Numbers are handled in a confidential manner
Authority and Responsibility
The Information Security Oversight Committee is responsible for identifying high risk practices and to coordinate appropriate responses to mitigate those risks. Assistant Vice President of Information Technology is responsible for the operation of the SUNY New Paltz data network and infrastructure as well as the establishment of information security policies, guidelines, and standards that relate to IT. These entities, therefore, have a responsibility to develop a policy in response to the significant privacy, security, and compliance risks concerning Social Security numbers.
Legal Requirements: Collection, Use, and Dissemination of Social Security Numbers
Federal Privacy Act of 1974 (5 USC §552a)
“It shall be unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his social security account number.”
- To comply with another Federal law
- For a computer system in place prior to 1975
In addition, all government agencies must provide a disclosure statement every time they ask for a Social Security Number. That is, whenever a Social Security Number is requested, the electronic or physical form used to collect the number must be clearly marked as to:
- whether the request is voluntary or mandatory
- by what authority or legal statute the number is solicited
- what uses will be made of the Social Security Number
- the consequences, if any, of failure to provide the information
FERPA (20 USC §1232g)
FERPA (Family Educational Rights and Privacy Act) protects the privacy of student educational records and because social security numbers are considered personally identifiable education records, the collection and use of student Social Security Numbers must be minimized and safeguarded. Social Security Numbers should be collected only for the purpose of processing student loans, employment, and to meet other legal obligations (See SUNY New Paltz FERPA Policy: http://www.newpaltz.edu/ferpa/)
NY Education Law § 2b
“Institutions shall not display student Social Security Numbers on public listings of grades, class rosters, student ID cards, student directories, or anything else unless specifically authorized or required by law.”
Timeframe for Policy Implementation
The SUNY New Paltz student information system, Banner, generates student IDs that are used college wide as the student identifier. However, since the implementation of this system was recent and there still exists many third party databases, forms for data collection and historical paper documents currently using Social Security numbers as key identifiers, a phased-in implementation of this policy is needed. A plan for identifying these sources and removing the SSNs or the document has been developed. SUNY New Paltz units have begun work on reducing the availability and use of personally identifiable information such as the SSN.
Our goal is that the use of Social Security numbers as a common identifier and primary key to any database will be discontinued except where required for employment, financial aid, and a limited number of other business or governmental transactions as of October 1, 2009. As of this date, data custodians will be responsible for maintaining the privacy and confidentiality of SSNs on their systems as mandated by law.
It is the policy of SUNY New Paltz that the use of the Social Security Number (in whole or in part) will not be used as a common identifier or used as a database key in any electronic information system or paper document system. The SSN may be collected and used where required for employment, financial aid, and a limited number of other business and governmental transactions. Disclosure statements will be provided whenever a Social Security Number is requested, in compliance with the Federal Privacy Act of 1974.
SUNY New Paltz is committed to maintaining the privacy and confidentiality of an individual’s Social Security Number as mandated by law.
1. All forms on which persons are required to provide Social Security Numbers must now contain or have appended to them a statement explaining the College request; e.g., the legal obligation on which the request is based, if there is one and the use that will be made of the Social Security
a. For example, on an employment form, the following text can be used: The Federal Privacy Act of 1974 requires that you be notified that disclosure of your Social Security Number is required pursuant to the Internal Revenue Service Code. The Social Security Number is required to verify
b. If the Social Security Number is not required, but requested, the fact that supplying it is voluntary should be noted and the option of assigning a temporary, “dummy number” should be offered. For example, on an admissions application, the following text may be used: Consistent with the Federal Privacy Act of 1974, you are being notified that disclosure of your Social Security Number is voluntary and not required for application to SUNY New Paltz. If you do not choose to disclose your Social Security Number, a temporary identification number will be generated for you.
c. If the Social Security Number is not mandated by law, but is needed for a business purpose, e.g.,in the early stages of the admissions process (e.g., to match standardized test scores such as SATs, ACTs, etc.), a disclosure statement of the following form may be used: Consistent with the Federal Privacy Act of 1974 you are being notified that disclosure of your Social Security Number is not mandated by law, however, failure to do so may delay or even prevent processing of your application. This is because the College uses your Social Security Number to match your application with your standardized test scores. The College will not disclose your Social Security Number for any purpose not required by law without your consent.
2. The New Paltz ID (a.k.a. “Banner ID”, created in our Banner Student Information System) is assigned to all students, employees, and associated individuals at the earliest point possible in the individual’s contact and association with the College (this ID replaced the Social Security Number as a common, unique identifier and key to databases). The New Paltz ID will be used in all electronic and paper data systems to identify, track, and service individuals associate with the College and will not be posted where exposed to public (see New Paltz ID Usage Policy).
3. Social Security Numbers will be stored as a confidential attribute associated with an individual. They will be used as allowed and mandated by law.
4. The College will not require an individual to use their social security number (in whole or part) to access a campus internet web site.
5. Grades and other pieces of personal information will not be publicly posted or displayed with the Social Security Number. Class lists, rosters, student ID cards, and other reports will not display the Social Security Number: the New Paltz ID will be used instead (see New Paltz ID Usage Policy).
6. Encryption of Social Security Numbers is required between server and client workstations and whenever data is transmitted over unsecured networks.
7. Social Security Numbers should not be embedded on a card or document, including but not limited to, using a bar code, chip, magnetic strip, or other technology.
8. Paper and electronic documents containing Social Security Numbers will be handled, used, and disposed of in a secure fashion. Records containing SSNs or other confidential information will not be downloaded or stored on College or personal computers or other electronic devices that are not secured against unauthorized access, in compliance with the College’s Policy on Network Connected Devices.
9. Students/employees should not be asked for their SSN over the phone unless it is by an office that works directly with a governmental agency that requires SSN (such as Financial Aid or Human Resources). SSNs should not be spoken where others could overhear.
10. Social Security Numbers will be released by the College to entities outside the College only as allowed by law or when permission is granted by the individual.
11. Any employee or student aware of a breach of Social Security Numbers must report this immediately to the office of Internal Controls.
An employee or student who has knowingly or through neglect breached the confidentiality of Social Security Numbers will be subject to disciplinary action or sanctions up to and including discharge and dismissal in accordance with College policy and procedures.
Violation may also result in criminal prosecution. It is a felony, punishable by up to 5 years in prison, to compel a person to provide a Social Security Number in violation of Federal Law.