Indiana SSN Law FAQ

June 21, 2006 

 

Question:

The normal business of my department requires that we exchange information containing SSN information within the department or with other Purdue departments such as the Registrar or Admissions.  Is this still permitted under the new law?

Answer:

Yes, internal use of SSN information within the Purdue system for the purpose of conducting normal business is still permitted under that law.  However, it is important to remember that Purdue data handling guidelines address the usage and methods of exchanging sensitive and restricted data, in addition to just SSN information.  These guidelines can be found at:

 

http://www.itap.purdue.edu/security/procedures/dataHandling1.html

  

Question: 

We need to exchange data containing SSN information with other Purdue campuses for business or academic purposes.  Is this still permitted?

Answer:

Yes, internal use of SSN information within the Purdue system is permitted and, additionally, the new law also specifically permits the exchange of information between state agencies. Purdue data handling guidelines must always be followed when determining the method and use of technology with these exchanges.  Additionally, remember that the University SSN policy states “… PUID will be used in all future electronic and paper data systems to identify, track, and service individuals associated with the University”.

 

Question:

 My department exchanges data that contains SSN information with federal agencies such as NSF and NIH.  Is this still permitted?

Answer:

The law permits disclosure of the SSN to a “state, local, or federal agency” or where required by federal or state law. These situations need to be reviewed by University legal counsel if you have questions about whether you are dealing with a state, local, or federal agency.

 

Question: 

My department administers health benefits plans for the University and needs to exchange information that contains SSN information with plan administrators.  Is this still permitted?

Answer:

Yes, the new laws specifically permit disclosures related to the administration of health benefits plans; however, the University data handling policies and procedures and other legal requirements such as HIPAA must also be observed.

 

Question: 

Is it permissible to disclose SSN information when required by a contractual relationship with a private business or a third-party not part of a state or federal agency?

Answer:

Generally, this type of disclosure would be prohibited under the new law but the individual circumstances of these situations need to be reviewed in consultations with University legal counsel. If you need to contact University counsel, consult with your Dean or department head.

 

Question: 

Are there penalties involved in the violations of the new SSN law?

Answer:

Yes, where a disclosure is impermissibly made, penalties apply to the individual state agency employee making the disclosure.  If the disclosure was “negligent,” the charge is a Class A infraction.  If the disclosure is “knowing, intentional, or reckless,” the charge is a Class D felony. The presumptive sentence or fine for a Class D felony is a prison term between six (6) months and three (3) years, with the advisory sentence being one and one-half (1½) years. In addition, the person may be fined not more than ten thousand dollars ($10,000).

 

Question: 

My department has certain forms that we provide directly to individuals that contain that individual’s SSN.  Is this permitted under the new law?

Answer:

The new law does not specifically mention the disclosure of an SSN to the SSN’s owner. In general, use of SSN information on forms should be avoided and only used in conjunction with the University’s Social Security Number policy.  That policy can be found at:

 

http://www.purdue.edu/policies/pages/information_technology/v_5_1.html

 

Question: 

Does the new SSN law cover use of only the last 4 numbers of the SSN?

Answer:

Use of the last 4 number of the SSN is permitted by the new law but may not be permitted by the University SSN policy.  For example, the University SSN policy states “Grades and other pieces of personal information will not be publicly posted or displayed in a manner where either the complete PUID or SSN, or partial PUID or SSN, are used to identify an individual.”


Question: 

Information about the new SSN law has indicated that “encrypted” SSN information is permitted. Does the law indicate how SSN information is to be encrypted?

Answer:

Keep in mind that Purdue is reacting to two new laws. The new law specifically dealing with the disclosure of SSN information does not mention encryption and offers no safe harbor for encrypted data.  A literal reading of this new law could suggest that disclosure of SSN information, even if encrypted, would be an impermissible disclosure.  The new law that affects Purdue and deals with computer system breaches does specify “unencrypted” data but does not discuss the details of encryption.  A new law that affects private businesses with regard to system breaches does define encryption better and also adds the provision that the release of encrypted information together with the key also triggers the provisions of those laws. This is an area that will likely see some additional attention as these laws go into effect.  If there are questions regarding encryption policies and techniques, these need to be reviewed in consultation with University legal counsel.

 

Question: 

Do the new laws deal only with SSN information?

Answer:

There are actually two new laws in this area.  The first law, dealing only with SSN information, defines the criminal penalties for impermissible disclosures of SSN and requires notification of the affected individuals.  The second law deals specifically with breaches of computer systems and covers various personal information which includes a full name or first initial and last name, plus another number such as SSN, driver’s license number, or other numbers related to financial transactions.  This second law contains no criminal penalties but also requires notification of the effected individuals when “personal information” is disclosed or “is reasonably believed to have been acquired by an unauthorized party.”

 

Question:

 The new law specifies that it covers a “state agency.” We are affiliated with Purdue University but are not sure about our status as a state agency.

Answer:

The definition of “state agency” is very specific and you should consult legal counsel to determine your exact status.  Organizations such as the Purdue Alumni Association, although affiliated with Purdue University, are actually a non-profit corporation and do not meet the legal definition of state agency.  There are, however, additional new Indiana laws that cover these privacy issues for entities doing business in Indiana. Generally, there are now new laws covering this area for both state agencies and certain private businesses.

 

Question: 

We use SSN information as search criteria with external sources such as search engines and databases.  Is this still permitted?

Answer:

In general, disclosing SSN information in this manner would not be permitted under the new laws if the external entity (search engine or database provider) is not a state or federal agency. Purdue data handling requirements may also affect the technology and manner of transmitting this information even if the use is permitted.

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2015 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by ITaP

Trouble with this page? Disability-related accessibility issue? Please contact ITaP at itap@purdue.edu.