Date Established: 1/19/2006
Date Last Revised: 1/16/2018
Category: Information Technology
Responsible Office: Chief Information Officer
Responsible Executive: Vice President and Chief Information Officer
The university handles social security numbers in compliance with federal and state laws to maintain the security and privacy of the university community.
The University at Buffalo (UB, university) is committed to maintaining the privacy, confidentiality, and proper handling of social security numbers (SSNs). The university recognizes that misuse or inadvertent disclosure of SSNs can pose privacy risks to individuals as well as compliance or reputational risks to the university. Therefore, the university prohibits the usage, storage, or dissemination of SSNs unless there is a specific business purpose.
The Social Security Number Oversight Committee grants permission to collect or access SSNs and conducts an annual review of access and collection to ensure the business need still exists. SSN access is revoked thirty (30) business days after the date of the annual review if reauthorization is not received. Units with access to SSNs must document their controls to secure SSNs.
The university will request and use SSNs as required by law or for certain business purposes with appropriate disclosure. The UB Person Number will serve as the primary identification number for university faculty, staff, and students.
An employee or student who has substantially breached the confidentiality of SSNs will be subject to disciplinary action or sanctions up to and including discharge and dismissal in accordance with university policy and procedures. Violation may also result in criminal prosecution. It is a felony, punishable by up to five years in prison, to compel a person to provide a SSN in violation of federal law.
The university, in its capacity as an employer and educational institution, collects personal and private information including SSNs. The university recognizes the importance and sensitivity of this information and strives to:
This policy applies to:
This policy does not apply to affiliated business entities.
Affiliated Business Entity
An entity that may be physically located at the university, but is legally separate (e.g., corporation).
Social Security Number (SSN)
A nine-digit number issued to U.S. citizens, permanent residents, and temporary (working) residents. The number is issued to an individual by the Social Security Administration. SSN may be interpreted to include the Taxpayer Identification Number. The SSN (full and partial) is considered Category 1 – Restricted Data, as defined in the Data Risk Classification Policy.
Social Security Number Oversight Committee
This committee includes leadership from units that act as data stewards for SSNs. Membership includes, but is not limited to, leadership or designee from the following offices: Registrar, Human Resources, Controller, and Information Security.
UB Person Number
A unique, eight-digit number assigned by UB to all students, employees, and others, as appropriate, upon initial association with the university. The UB person number is a mechanism to identify, authenticate, and provide services to individuals.
|Vice President and Chief Information Officer ||firstname.lastname@example.org|
|Information Security Officeremail@example.com|
|January 2018||Full review. Updated the policy to: |
• Change the name of the policy from Social Security Number Usage to Social Security Number
• Remove text related to the procedure and timeframe for discontinuing use of SSN numbers as a common identifier (January 1, 2006)
• Provide guidelines for using SSNs
• Establish a SSN access request procedure