Social Security Numbers (S-18)

Standard: S-18
Responsible Executive: Vice President for Information Technology and Chief Information Officer
Responsible Office: Office of the Vice President for Information Technology
Date Issued: September 1, 2019
Date Last Revised: December 12, 2024

Table of Contents

Contacts
Individuals and Entities Affected
Statement of Standard
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
History and Updates
Appendix

Contacts

Clarification of Standard

Purdue Systems Security (PSS)
765-494-4000 | itpolicyanswers@purdue.edu

Individuals and Entities Affected

University students, faculty, staff and all other individuals or entities using University IT Resources and/or who handle or have access to Social Security Number data within University processes.

Statement of Standard

Purdue University is dedicated to ensuring the privacy and proper handling of Social Security Numbers (SSNs) of its students, employees and individuals associated with the University and to supporting both the letter and spirit of related laws and regulations.

This standard is guided by the following objectives:

1. Broad awareness of the confidential nature of the SSN.
2. Reduced reliance upon the SSN for identification purposes.
3. Increased emphasis on secure use, transmission and storage of the SSN throughout University IT Resources.
4. A consistent standard toward and treatment of SSNs throughout the University.
5. Increased confidence by students and employees that SSNs are handled in a confidential manner.

Appropriate Use

It is Purdue University’s intent to protect the SSN of its students, staff and faculty to minimize the growing risks of identity theft.

Accordingly, the SSN will be collected and used only as:

1. Required by law;
2. When necessary for employment records, financial aid records, and a limited number of other business and governmental transactions, as required by law;
3. A method to identify individuals for whom a PUID has not been created and not used for other internal processes;
4. A means to uniquely identify an individual for PUID assignment; and
5. In accordance with Indiana Code 4-1-8, or any successor legislation thereto, unless the University is legally required to collect an SSN, individuals will not be required to provide their SSNs verbally or in writing at any Point of Service, nor will they be denied access to those services should they refuse to provide an SSN. However, individuals may volunteer their SSNs if they wish as an alternate means of locating a record.

SSNs will be disclosed by the University to external entities only:

1. As allowed or required by law; or
2. When permission is granted by the individual; or
3. When the external entity is acting as the University’s contractor or agent and adequate security measures and agreements are in place to prevent unauthorized dissemination to third parties.

The SSN may not be used as a common identifier or used as a database key in any electronic information system.

The University will assign a Purdue University Identifier (PUID) to an individual upon initial association with the University. The PUID is not the same as, nor based upon, the individual’s SSN or other unique demographic information. Except as permitted herein, the PUID will be used in all future electronic and paper data systems to identify, track and service individuals associated with the University. The PUID will be permanently and uniquely associated with the individual to whom it is originally assigned. The PUID will be considered the property of Purdue University, and its use and governance will be at the discretion of the University, within the parameters of the law.

Data Handling

• All University forms and documents that collect SSNs will use the appropriate language to indicate whether request is voluntary or mandatory.
• Business and IT units will ensure individuals are trained regarding appropriate use, disclosure and data handling of SSNs prior to accessing IT Resources and Information Assets.
• Grades and other pieces of personal information will not be publicly posted or displayed in a manner where either the complete PUID or SSN, or partial PUID or SSN, are used to identify an individual.
• SSNs will be transmitted electronically only through encrypted mechanisms over open, public networks.
• Paper and electronic documents containing SSNs will be disposed of in accordance with data-handling requirements as defined by the administrative data owners for Restricted Data.
• All new systems purchased or developed by Purdue will not use SSN as identifiers except where such use is specifically permitted or required under this standard. Such systems will not visually display the SSN on any system output, including monitors and printed forms, unless required by law or required by Purdue University as needed in execution of its duties.
• No new system or technology, where the SSN is a consideration, will be developed or purchased by Purdue unless it is compliant with this standard or approved as an exception.
• For new and existing business needs unable to comply with these standard requirements, the Request for Security Policy Exception must be approved by the Chief Information Security Officer, or delegate.

An employee, student, volunteer, representative, contractor or any other agent of Purdue University who has substantially breached the confidentiality of SSNs may be subject to disciplinary action or sanctions up to and including discharge or dismissal, in accordance with University policy and procedures.

Responsibilities

Centralized and Departmental IT Units and IT Resource Owners (and designees)

• Implement and monitor compliance with this standard and any related policies, standards and best practices for University IT Resources within their areas of responsibility.
• Establish additional guidelines, procedures or other requirements that exceed this standard, as necessary, to secure University IT Resources.

Data Stewards

• Work with Information Owners to grant or remove access by role or by person to accounts internal and external to the business area.
• Provide and track appropriate certification or training prior to granting access to systems.
• Establish additional guidelines, procedures or other requirements that exceed this standard, as necessary, to secure University IT Resources.

Purdue Systems Security (PSS)

• Provide identification (PUID) to individuals upon initial association with the University.
• Facilitate the review of requests for a security policy exception.
• Establish additional guidelines, procedures or other requirements that exceed this standard, as necessary, to secure University IT Resources.

University students, faculty, staff and all other individuals or entities using University IT Resources

• Comply with the requirements of this standard and any related policies, standards or security guidelines and procedures that may be issued by their departmental IT units and/or owners of the IT Resource(s) or Information Assets they access.

Definitions

All defined terms are capitalized throughout the document. Additional defined terms may be found in the policy on Information Security and Privacy (VII.B.8) and in the central Policy Glossary. 

Point of Service

A physical or electronic interaction between the University and its employees, students or other individuals, during which the University provides physical, educational, informational or electronic services to the individual.

PUID

Purdue University unique identifier assigned to an individual upon initial association with the University. Used for identification within electronic systems.

Restricted Data

Information protected because of protective statutes, policies or regulations. Includes information that isn’t by default protected by legal statute, but for which the Information Owner has exercised the right to restrict access.

Related Documents, Forms and Tools

This standard is issued in support of the policy on Information Security and Privacy (VII.B.8), as amended or superseded.

Additional related policies and procedures:

• Access to Student Education Records (VIII.A.4)
• Security Policy Exception Procedures
• Data Classification and Handling Procedures

Related laws and regulations:

• Family Rights and Privacy Act of 1974 (FERPA)
• Indiana Code 4-1-8: State Requests for Social Security Numbers
• Indiana Code 4-1-10: Release of Social Security Number

History and Updates

December 12, 2024: Document reviewed; minor administrative updates made to titles, offices and links.

September 1, 2019: This standard supersedes the Social Security Number Policy (VII.B.7) revised November 18, 2011, originally issued August 4, 2004. Reorganized the information into a more readable order. Removed the appointment of system-wide coordinators and campus SSN administrators; instead outlined responsibilities for centralized and departmental IT units, IT Resource Owners and Data Stewards. Removed several definitions.

Appendix

There are no appendices to this standard.