University at Buffalo Crest

Policy Information

Date Established: 1/19/06
Date Last Revised: 1/16/2018
Category: Information Technology
Responsible Office: Chief Information Officer
Responsible Executive: Vice President and Chief Information Officer

Policy Contents

Social Security Number Policy

Summary

The university handles social security numbers in compliance with federal and state laws to maintain the security and privacy of the university community.

Policy Statement

The University at Buffalo (UB, university) is committed to maintaining the privacy, confidentiality, and proper handling of social security numbers (SSNs). The university recognizes that misuse or inadvertent disclosure of SSNs can pose privacy risks to individuals as well as compliance or reputational risks to the university. Therefore, the university prohibits the usage, storage, and/or dissemination of SSNs unless there is a specific business purpose.

The Social Security Number Oversight Committee grants permission to collect or access SSNs and conducts an annual review of access and collection to ensure the business need still exists. SSN access is revoked thirty (30) business days after the date of the annual review if reauthorization is not received. Units with access to SSNs must document their controls to secure SSNs.

The university will request and use SSNs as required by law or for certain business purposes with appropriate disclosure. The UB Person Number will serve as the primary identification number for university faculty, staff, and students.

Compliance

An employee or student who has substantially breached the confidentiality of SSNs will be subject to disciplinary action or sanctions up to and including discharge and dismissal in accordance with university policy and procedures. Violation may also result in criminal prosecution. It is a felony, punishable by up to five years in prison, to compel a person to provide a SSN in violation of federal law.

Background

The university, in its capacity as an employer and educational institution, collects personal and private information including SSNs. The university recognizes the importance and sensitivity of this information and strives to:

  • Comply with federal, state, and local laws and regulatory mandates
  • Protect the privacy and legal rights of the university community
  • Generate broad awareness of the confidential nature of the SSN
  • Increase emphasis on secure use, transmission, and storage of the SSN
  • Reduce the use of the SSN for identification purposes
  • Promote confidence by students and employees that SSNs are handled in a confidential manner

Applicability

This policy applies to:

  • All faculty, staff, students, volunteers, and other members of the university community who use UB information resources, particularly those who are entrusted with sensitive data and data protected by law or other UB policies.
  • The use, collection, and retention of SSNs, whether maintained, used, or displayed wholly or in part, and in any data format, including but not limited to oral or written words, screen display, electronic transmission, stored media, printed material, facsimile, or other medium.

This policy does not apply to affiliated business entities.

Definitions

Affiliated Business Entity

An entity that may be physically located at the university, but is legally separate (e.g., corporation).

Social Security Number (SSN)

A nine-digit number issued to U.S. citizens, permanent residents, and temporary (working) residents. The number is issued to an individual by the Social Security Administration. SSN may be interpreted to include the Taxpayer Identification Number. The SSN (full and partial) is considered Category 1 – Restricted Data, as defined in the Data Risk Classification Policy.

Social Security Number Oversight Committee

This committee includes leadership from units that act as data stewards for SSNs. Membership includes, but is not limited to, leadership or designee from the following offices:  Registrar, Human Resources, Controller, and Information Security.

UB Person Number

A unique, eight-digit number assigned by UB to all students, employees, and others, as appropriate, upon initial association with the university. The UB person number is a mechanism to identify, authenticate, and provide services to individuals.

Responsibility

Information Security Officer

  • Prepare annual compliance reports.

Social Security Number Oversight Committee

  • Review and approve requests for access to or collection of SSNs.
  • Review annual compliance reports.  

Faculty, Staff, Students

  • Comply with all applicable federal and state laws and university policies related to SSNs.
  • Follow the SSN Access Request Procedure to request approval to access or collect SSNs.
  • Dispose of records containing SSNs in a secure and responsible manner.
  • Report incidents of unauthorized disclosure, loss, or theft of SSNs to the Information Security Officer.

Contact Information

Contact Phone Email
Vice President and Chief Information Officer
716-645-7979 vpcio@buffalo.edu
Information Security Officer 716-645-6997 sec-office@buffalo.edu

Related Information

University Links

Forms

Related Links

History

January  2018 Full review. Updated the policy to:
  • change the name of the policy from Social Security Number Usage to Social Security Number
  • remove text related to the procedure and timeframe for discontinuing use of SSN numbers as a common identifier (January 1, 2006)
  • provide guidelines for using SSNs
  • establish a SSN access request procedure

Presidential Approval

Signed by President Satish K. Tripathi

Satish K. Tripathi, President

1/16/2018

Date