Indiana SSN Law FAQ
June 21, 2006
Q1 The normal business of my department requires that we exchange information containing Social Security number (SSN) information within the department or with other Purdue departments such as the Registrar or Admissions. Is this still permitted under the law?
A1 Yes, internal use of SSN information within the Purdue system for the purpose of conducting normal business is still permitted under that law. However, it is important to remember that Purdue data handling guidelines address the usage and methods of exchanging sensitive and restricted data, in addition to just SSN information. These guidelines can be found at:
Q2 We need to exchange data containing SSN information with other Purdue campuses for business or academic purposes. Is this still permitted?
A2 Yes, internal use of SSN information within the Purdue system is permitted and, additionally, the law also specifically permits the exchange of information between state agencies. Purdue data handling guidelines must always be followed when determining the method and use of technology with these exchanges. Additionally, remember that the University SSN policy states “… PUID will be used in all future electronic and paper data systems to identify, track, and service individuals associated with the University.”
Q3 My department exchanges data that contains SSN information with federal agencies such as NSF and NIH. Is this still permitted?
A3 The law permits disclosure of the SSN to a “state, local, or federal agency” or where required by federal or state law. These situations need to be reviewed by University legal counsel if you have questions about whether you are dealing with a state, local, or federal agency.
Q4 My department administers health benefits plans for the University and needs to exchange information that contains SSN information with plan administrators. Is this still permitted?
A4 Yes, the laws specifically permit disclosures related to the administration of health benefits plans; however, the University data handling policies and procedures and other legal requirements such as HIPAA must also be observed.
Q5 Is it permissible to disclose SSN information when required by a contractual relationship with a private business or a third-party not part of a state or federal agency?
A5 Generally, this type of disclosure would be prohibited under the law, but the individual circumstances of these situations need to be reviewed in consultations with University legal counsel. If you need to contact University counsel, consult with your Dean or department head.
Q6 Are there penalties involved in the violations of the SSN law?
A6 Yes, where a disclosure is impermissibly made, penalties apply to the individual state agency employee making the disclosure. If the disclosure was “negligent,” the charge is a Class A infraction. If the disclosure is “knowing, intentional, or reckless,” the charge is a Class D felony. The presumptive sentence or fine for a Class D felony is a prison term between six (6) months and three (3) years, with the advisory sentence being one and one-half (1½) years. In addition, the person may be fined not more than ten thousand dollars ($10,000).
Q7 My department has certain forms that we provide directly to individuals that contain that individual’s SSN. Is this permitted under the law?
A7 The law does not specifically mention the disclosure of an SSN to the SSN’s owner. In general, use of SSN information on forms should be avoided and only used where required by federal and state law. All University forms and documents that collect SSNs will use the appropriate language to indicate whether request is voluntary or mandatory.
Q8 Does the SSN law cover use of only the last four numbers of the SSN?
A8 Use of the last 4 numbers of the SSN is permitted by law but per University Data Classification and Handling requirements, grades and other pieces of personal information will not be publicly posted or displayed in a manner where either the complete PUID or SSN, or partial PUID or SSN, are used to identify an individual.
Q9 Information about the SSN law has indicated that “encrypted” SSN information is permitted. Does the law indicate how SSN information is to be encrypted?
A9 Keep in mind that Purdue is reacting to two laws. The law specifically dealing with the disclosure of SSN information does not mention encryption and offers no safe harbor for encrypted data. A literal reading of this law could suggest that disclosure of SSN information, even if encrypted, would be an impermissible disclosure. The law that affects Purdue and deals with computer system breaches does specify “unencrypted” data but does not discuss the details of encryption. A law that affects private businesses with regard to system breaches does define encryption better and also adds the provision that the release of encrypted information together with the key also triggers the provisions of those laws. This is an area that will likely see some additional attention as these laws go into effect. If there are questions regarding encryption policies and techniques, these need to be reviewed in consultation with University legal counsel.
Q10 Do the laws deal only with SSN information?
A10 There are actually two laws in this area. The first law, dealing only with SSN information, defines the criminal penalties for impermissible disclosures of SSN and requires notification of the affected individuals. The second law deals specifically with breaches of computer systems and covers various personal information that includes a full name or first initial and last name, plus another number such as SSN, driver’s license number, or other numbers related to financial transactions. This second law contains no criminal penalties but also requires notification of the effected individuals when “personal information” is disclosed or “is reasonably believed to have been acquired by an unauthorized party.”
Q11 The law specifies that it covers a “state agency.” We are affiliated with Purdue University but are not sure about our status as a state agency.
A11 The definition of “state agency” is very specific, and you should consult legal counsel to determine your exact status. Organizations such as the Purdue Alumni Association, although affiliated with Purdue University, are actually a non-profit corporation and do not meet the legal definition of state agency. There are, however, additional Indiana laws that cover these privacy issues for entities doing business in Indiana. Generally, there are now laws covering this area for both state agencies and certain private businesses.
Q12 We use SSN information as search criteria with external sources such as search engines and databases. Is this still permitted?
A12 In general, disclosing SSN information in this manner would not be permitted under the law if the external entity (search engine or database provider) is not a state or federal agency. Purdue data handling requirements may also affect the technology and manner of transmitting this information even if the use is permitted. Note that Purdue data handling requirements indicate SSN should not be used as a common identifier or used as a database key in any Purdue electronic information system.