Table of Contents
Reason for This Policy
Statement of Policy
Compliance
Procedures
Responsibilies
History
Definitions
Forms
Who Should Know This Policy
Related Documents
Contacts
Reason for this Policy
Purdue University is dedicated to ensuring the privacy and
proper handling of Social Security Numbers (SSNs) of its
students, employees, and individuals associated with the
University. The primary purpose of this Social Security Number
policy is to ensure that the necessary procedures and awareness
exist so that University employees and students comply with
both the letter and the spirit of FERPA and Indiana Code
Title 4 Article 1 Chapter 8 -- State Requests for Social
Security Numbers, as amended from time to time. SSNs have
been used in University systems to uniquely identify students
and employees and to permit students and employees to gain
access their own confidential information in University systems.
As systems are updated and replaced, the reliance on SSNs
will be reduced, as more fully explained in this policy.
This policy is guided by the following objectives:
- Broad awareness of the confidential nature of the SSN
- Reduced reliance upon the SSN for identification purposes
- Increased emphasis on secure use, transmission, and storage
of the SSN throughout the Purdue systems
- A consistent policy toward and treatment of SSNs throughout
the University
- Increased confidence by students and employees that SSNs
are handled in a confidential manner.
Statement of Policy
It is Purdue University’s intent to protect the SSN
of its students, staff, and faculty to minimize the growing
risks of identity theft.
Accordingly, the SSN may not be used as a common identifier
or used as a database key in any electronic information system.
The SSN may be collected and used when necessary for employment
records, financial aid records, and a limited number of other
business and governmental transactions, as required by law.
Purdue University will assign a Purdue University Identifier
(PUID) and other credentials, like a password or a digital
certificate, to an individual upon initial association with
the University for identification and authentication, in
order to eliminate the use of the SSN wherever possible.
The following are Purdue University policy regulations that
apply to all campuses within the Purdue system:
- All new systems purchased or developed by Purdue will
not use SSN as identifiers except where such use is specifically
permitted or required under this policy. Such systems should
not visually display the SSN on any system output, including
monitors and printed forms, unless required by law or required
by Purdue University as needed in execution of its duties.
- Each individual associated with Purdue will be assigned
a PUID that is not the same as, or based upon, the individual’s
SSN or other unique demographic information.
- No new system or technology, where the SSN is a consideration,
will be developed or purchased by Purdue unless it is compliant
with this policy or approved by the assigned SSN Administrator
as an exception.
- All University forms and documents that collect SSNs
will use the appropriate language to indicate whether request
is voluntary or mandatory.
- In accordance with Indiana Code Title 4 Article 1 Chapter
8, or any successor legislation thereto, unless the University
is legally required to collect an SSN, individuals will
not be required to provide their SSNs verbally or in writing
at any Point of Service, nor will they be denied access
to those services should they refuse to provide an SSN.
However, individuals may volunteer their SSNs if they wish
as an alternate means of locating a record.
Compliance
The assigned SSN Administrator for each campus will be responsible
for the development of an implementation plan to monitor
compliance with this policy.
An employee, student, volunteer, representative, contractor,
or any other agent of Purdue University who has substantially
breached the confidentiality of SSNs may be subject to disciplinary
action or sanctions up to and including discharge or dismissal,
in accordance with University policy and procedures.
For new and existing business needs unable to comply with
these policy requirements, the formal SSN Policy Exception
Form must be approved by the IT Networks and Security organization
at Purdue, the assigned campus SSN Administrator, and the
System-Wide Coordinating Officer.
Procedures
Each campus will assign an administrator the responsibility
of overseeing SSN usage on his or her campus. These administrators
control the SSN, and their prior written approval will be
required to use the SSN in any new electronic system, or
to use the SSN in any modifications to an existing system.
Each campus is free to choose an SSN Administrator who best
fits its individual administrative model. The assigned SSN
Administrator will maintain the list of approved exceptions
for his or her campus.
The Provost or Executive Vice President and Treasurer will
appoint the System-Wide Coordinating Officer for system-wide
issues. The System-Wide Coordinating Officer shall have the
ultimate responsibility and authority over decisions and
the application of this policy for all Purdue Campuses.
PUID Assignment:
A University-wide PUID will be assigned to all students,
employees, alumni, and other associated individuals, such
as contractors or consultants. This PUID will be assigned
at the earliest possible point of contact between the individual
and the University. Except as permitted herein, the PUID
will be used in all future electronic and paper data systems
to identify, track, and service individuals associated with
the University. The PUID will be permanently and uniquely
associated with the individual to whom it is originally assigned.
The PUID will be considered the property of Purdue University,
and its use and governance shall be at the discretion of
the University, within the parameters of the law.
The PUID will be a component of a system that provides
a mechanism for both the identification of individuals
and a method of authentication. Except as specifically
provided herein, all services rendered by Purdue University
and electronic business systems will rely on the identification
and authentication process provided by this same system.
SSN Usage:
Grades and other pieces of personal information will not
be publicly posted or displayed in a manner where either
the complete PUID or SSN, or partial PUID or SSN, are used
to identify an individual.
In all new systems, SSNs will be transmitted electronically
only through encrypted mechanisms.
Paper and electronic documents containing SSNs will be disposed of in a Secure
Fashion in accordance with data-handling requirements, as defined by the administrative
data owners.
SSNs will be released by the University to external entities only:
As allowed or required by law; OR
When permission is granted by the individual; OR
When the external entity is acting as the University's contractor or agent
and adequate security measures and agreements are in place to prevent unauthorized
dissemination to third parties.
The SSN may continue to be collected and stored as a confidential
attribute associated with an individual. The SSN will be
used as:
Required by law;
A method to identify individuals for whom a PUID has not been created and
not used for other internal processes; and
A means to uniquely identify an individual for PUID assignment.
Phased Compliance Strategy:
Purdue University will adopt a Phased Compliance Strategy
for its existing systems. All Schools, Departments, Divisions,
and Business Units are strongly encouraged to complete the
required system and process modifications to comply with
this policy as soon as reasonably possible. Given the scope
of process, system, and data changes required, a comprehensive
compliance plan will be developed by each campus SSN Administrator.
Responsibilities
| Person |
Responsibility |
| SSN Administrator(s) |
Implementation of this
policy statement and approval of SSN policy exceptions |
| All Purdue Stakeholders |
Compliance with this
policy statement |
History
Supersedes: Requesting Social Security
Numbers for Educational, Employment, and Other Record-Keeping
Purposes (B-54)
Definitions
| Word |
Definition |
| FERPA |
Family Educational Rights
and Privacy Act, as amended from time to time. |
| Phased Compliance Strategy |
A strategy that attempts
to define a multi-tiered approach to achieving compliance. |
| Point of Service |
A physical or electronic
interaction between the University and its employees,
students, or other individuals, during which the University
provides physical, educational, informational, or electronic
services to the individual. |
| PUID |
Purdue University Identifier
assigned to an individual upon initial association with
the University. Used for identification in electronic
systems. |
| Secure Fashion |
In the context of the
destruction of paper and electronic documents, this refers
to a method that defeats both casual and deliberate attempts
at theft -- e.g., the shredding of documents containing
Social Security Numbers and the use of ‘confidential'
recycling bins. For electronic documents, this refers
to explicit deletion or storage on a device protected
by a password-based security system using encryption. |
| SSN |
Social Security Number |
| SSN Administrator |
The administrator on
each campus who is assigned the responsibility of overseeing
SSN usage on his or her campus. |
| System-Wide Coordinating
Officer |
The individual appointed
by the Provost or Executive Vice President to act as
the coordinating officer for system-wide SSN issues. |
Forms
In support of this policy, the following forms are included:
Who Should Know This Policy
- President
- Provost
- Executive Vice President and Treasurer
- Chancellors
- Vice Presidents
- Deans
- Directors/Department Heads
- Public Records Officers
|
- Business Office Staff
- Administrative and Professional Staff
- Clerical and Service Staff
- All Faculty, Staff, and Students
- External Stakeholders
|
Related Documents
The following documents provide further information related
to FERPA and the Privacy Act of 1974:
http://www.ed.gov/offices/OM/fpco/ferpa/index.html
http://www.usdoj.gov/foia/privstat.htm
The following document provides information on Indiana Code
Title 4 Article 1 Chapter 8 -- State Requests for Social
Security Numbers:
http://www.in.gov/legislative/ic/code/title4/ar1/ch8.html
The following documents provide information on the security
requirements for handling information developed by the appointed
administrative data owners:
http://www.itap.purdue.edu/security/procedures/dataClassif.cfm
http://www.purdue.edu/policies/pages/information_technology/c_34.html
http://www.purdue.edu/Business/Executive_Memoranda/VPBS/bom180.htm
Contacts
| Contact |
Telephone |
E-mail |
| Campus SSN Administrator (each campus) |
|
|
| IT Security and Policy Organization |
(765) 494-4000 |
itap-securityhelp@purdue.edu |
|
