University at Buffalo - The State University of New York
Skip to Content

Policy Information

Date Established: 11/19/06
Date Last Revised: 8/10/11
Category: Information Technology
Responsible Office: Office of the CIO
Responsible Executive: CIO

Policy Contents

Printing Tip

Be sure to disable the "shrink to fit" feature on your internet browser's print dialog box. 

Social Security Number Usage

Summary

This policy discontinues the use of Social Security Numbers as electronic data within applications and files.  Proposed is a plan for the stepwise elimination of this practice.

Policy Statement

It is the policy of the University at Buffalo that the use of the Social Security Number as a common identifier and the primary key to databases be discontinued, except where required for employment, financial aid, and a limited number of other business transactions.

Disclosure statements will be provided whenever a Social Security Number is requested, in compliance with the Federal Privacy Act of 1974.

UB is committed to maintaining the privacy and confidentiality of an individual’s Social Security Number as mandated by law.

Background

Legal Requirements: Collection, Use, and Dissemination of Social Security Numbers

  • Federal Privacy Act of 1974
    “It shall be unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his social security account number.”

    Exceptions
    • To comply with another Federal law
    • For a computer system in place prior to 1975

      In addition, all government agencies must provide a disclosure statement every time they ask for a Social Security Number. That is, whenever a Social Security Number is requested, the electronic or physical form used to collect the number must be clearly marked as to:

    • whether the request is voluntary or mandatory
    • by what authority or legal statute the number is solicited
    • what uses will be made of the Social Security Number
    • the consequences, if any, of failure to provide the information
  • FERPA

FERPA protects the privacy of student educational records and requires schools to minimize collection and use of student Social Security Numbers. Social Security Numbers should be collected only for the purpose of processing student loans, employment, and to meet other legal obligations.

  • NY State Law: Chapter 16, Article 1, Title 1, Section 2b

“Institutions shall not display student Social Security Numbers on public listings of grades, class rosters, student ID cards, student directories, or anything else unless specifically authorized or required by law.”

Policy Purpose:

  • To protect the privacy and legal rights of the members of the University community
  • To generate broad awareness of the confidential nature of the Social Security Number
  • To reduce the use of the Social Security Number for identification purposes
  • To promote confidence by students and employees that Social Security Numbers are handled in a confidential manner

Procedure

Timeframe for Policy Implementation

A phased-in implementation of this policy is needed, since many major systems at the University are currently using Social Security numbers as key identifiers. Conversion of these systems is needed without causing serious disruptions in University business. A plan for a steady and purposeful movement away from dependency on Social Security Numbers will be developed. UB units have begun work on reducing the availability and use of personally identifiable information such as the SSN.

Our goal is that the use of Social Security numbers as a common identifier and primary key to database will be discontinued except where required for employment, financial aid, and a limited number of other business transactions as of January 1, 2006. As of this date, data custodians will be responsible for maintaining the privacy and confidentiality of SSNs on their systems as mandated by law.

Guidelines

  1. All forms on which persons are required to provide Social Security Numbers must now contain or have appended to them a statement explaining the University request; e.g., the legal obligation on which the request is based, if there is one and the use that will be made of the Social Security Number.
    1. For example, on an employment form, the following text can be used: The Federal Privacy Act of 1974 requires that you be notified that disclosure of your Social Security Number is required pursuant to the Internal Revenue Service Code. The Social Security Number is required to verify your identity.
    2. If the Social Security Number is not required, but requested, the fact that supplying it is voluntary should be noted and the option of assigning a temporary, “dummy number” should be offered.
      For example, on an admissions application, the following text may be used: The Federal Privacy Act of 1974 requires that you be notified that disclosure of your Social Security Number is voluntary and not required for application to UB. If you do not choose to disclose your Social Security Number, a temporary identification number will be generated for you.
    3. If the Social Security Number is not mandated by law, but is needed for a business purpose, e.g., in the early stages of the admissions process (e.g., to match standardized test scores such as MCATs, PCATs, etc.), a disclosure statement of the following form may be used: The Federal Privacy Act of 1974 requires that you be notified that disclosure of your Social Security Number is not mandated by law, however, failure to do so may delay or even prevent your enrollment. The University uses your Social Security Number to match your application with your standardized test scores. The University will not disclose your Social Security Number for any purpose not required by law without your consent.
  2. The UB Person Number will be assigned to all students, employees, and associated individuals at the earliest point possible in the individual’s contact and association with the University. The Person Number replaces the Social Security Number as a common, unique identifier and key to databases. The Person Number will be used in all future electronic and paper data systems to identify, track, and service individuals associate with the University.
  3. Social Security Numbers will be stored as a confidential attribute associated with an individual. They will be used as allowed and mandated by law.
  4. Grades and other pieces of personal information will not be publicly posted or displayed with the Social Security Number. Class lists, rosters, student ID cards, and other reports will not display the Social Security Number: the UB Person Number will be used instead. Grades are posted using the last four digits of the UB Person Number.
  5. Encryption of Social Security Numbers is required between server and client workstations and whenever data is transmitted over unsecured networks.
  6. Paper and electronic documents containing Social Security Numbers will be handled, used, and disposed of in a secure fashion. Records containing SSNs or other confidential information will not be downloaded or stored on University or personal computers or other electronic devices that are not secured against unauthorized access, in compliance with the University’s Policy on Network Connected Devices.
  7. Social Security Numbers will be released by the University to entities outside the University only as allowed by law, when permission is granted by the individual, or when Legal Counsel has approved the release.

Compliance

An employee or student who has substantially breached the confidentiality of Social Security Numbers will be subject to disciplinary action or sanctions up to and including discharge and dismissal in accordance with University policy and procedures.

Violation may also result in criminal prosecution. It is a felony, punishable by up to 5 years in prison, to compel a person to provide a Social Security Number in violation of Federal Law.

Contact Information

Office of the Chief Information Officer
517 Capen Hall
Buffalo, NY  14260
Phone:  716-645-7979

Chief Information Officer Approval

Signed by Chief Information Officer Elias G. Eldayrie

Elias G. Eldayrie, Chief Information Officer

11/19/2006

Date