Social Security Number Policy (Use, Collection, & Retention)

Purpose & Scope 

Southwestern Oklahoma State University (SWOSU) is devoted to preserving the confidentiality of sensitive and personal information. 

The purpose is to institute a policy to ensure compliance with federal, state, and local law regarding SWOSU’s collection, use, maintenance, retention, and distribution of students, faculty, and staff Social Security Numbers (SSNs). 

This policy applies to all staff, faculty, and university units that collect, use, store, and transmit SSNs. 

Statement 

SSNs must not be captured, retained, communicated, transmitted, displayed, printed, in whole or in part, except where required by law, or permitted in accordance with the standards outlined in this policy. This policy applies to all use, collection, and retention of SSNs, whether maintained, used, or displayed wholly or in part, and in any data format, including but not limited to oral or written words, screen display, electronic transmission, stored media, printed material, facsimile, or other medium as determined. In all cases, SWOSU approval must be obtained for the use, collection, and retention of SSNs. 

All approved uses of SSNs must be consistent with SWOSU’s established data security principles and ensure the secure use, collection, and storage of SSNs. 

SWOSU will take necessary and appropriate steps to comply with federal and other applicable laws regarding the use and retention of SSNs. 

Objectives 

In issuing this policy, SWOSU is guided by the following objectives. 

1. Increase awareness of the confidential nature of SSNs, the risk of identity theft related to unauthorized disclosure, and reduce collection of SSNs except where authorized by law or approved administrative exceptions. 

• Laws governing the authorized use and storage of SSNs are listed in the “Related Laws, Regulations, and Policies” section of this policy. 

• Exceptions for the use and storage of SSNs are listed in the “Exceptions” section of this policy. 

2. Decrease the use of SSNs in information systems and records, including display screens and printed reports, and decrease electronic storage of SSNs to a minimum number of locations. 

3. Create consistency concerning the collection, storage, use, and disclosure of SSNs throughout SWOSU and increase the confidence of students, employees, and affiliates/guests that their SSNs are handled in a confidential manner.  

Policy 

1. Policy Definitions 

• Social Security Number (SSN) may be interpreted to include a 9-digit number issued by the federal government, through the Social Security Administration, primarily used to track individuals for taxation purposes. SSN may also be interpreted to include the Taxpayer Identity Number (TIN). 

• Individual Workstations: Included but is not limited to desktops, laptops, tablets, smart phones, and PDAs. 

• Removable or Transportable Media: Included but is not limited to paper forms, reports, cassettes, CDs, USB tokens, flash drives, hard drives, and zip drives. 

• Data Stewards: develop and gain approval for granting access rights, policies, and procedures, from the Executive Compliance Committee (ECC). Data stewards grant access to records containing SSNs only to those individuals requiring access as determined by job function. Data stewards work with the ECC on a continual basis to proactively review these grants of access, policies, and procedures to ensure compliance with this policy, as well as applicable law. 

• ERP System: The term is applicable to any infrastructure as a means of describing its importance to SWOSU’s mission and how it should be administered, protected, and funded. From a functional viewpoint, an ERP System will be either (a) the only delivery platform for an essential service, or (b) a platform for a service to a very broad constituency spanning organizational boundaries. An ERP system is most frequently administered and protected by an institutional unit with expertise in both the technology and the business functions delivered. 

2. Policy Standards 

• SWOSU does not permit the use of a SSN as the primary identifier for any person or entity in any system, except where the SSN is required or permitted by law and permitted by SWOSU policy. 

• Where permitted by law and SWOSU policy, the SSN may be stored as a confidential attribute associated with an individual or may be used as an optional key to identify individuals for whom a primary identifier is not known. 

• Individuals shall not be required to provide their SSN, verbally or in writing, at any point of service, nor shall they be denied access to those services should they refuse to provide an SSN, except where the collection of SSN is required by law or otherwise permitted by SWOSU policy. Individuals may voluntarily use their SSN if they wish, as an alternate means for locating a record. 

• Except where the SSN is required by law, the SWOSU ID/SWOSU Vendor ID (Employee ID/Student ID) will be used in all future electronic and paper data systems and processes to identify, track, and service individuals associated with SWOSU. The SWOSU ID will be permanently and uniquely associated with the individual to whom it was originally assigned. 

• All newly developed or acquired application software will not store SSN as a data element until a business requirement is submitted and approved by the Data Steward and/or other authorities as deemed appropriate. 

• Access to servers housing databases or records containing SSNs are restricted to system administrators, protected by an approved firewall appliance, and should not be used by individuals to access the Internet or access e-mail. 

• Where possible, all records containing SSNs should be stored on network drives with access limited to those individuals or entities that require access to perform a legitimate SWOSU job function. SWOSU encrypted workstations, laptops, and other equipment should not be used to store records containing SSNs. 

• All removable or transportable media containing SSNs must be secured when not in use. Reasonable security measures depend on the circumstances, but may include locked file rooms, desks, and cabinets. Any portable media such as USB drives or hard drives must be encrypted. 

• Subject to applicable document retention policies or unless required by law, when no longer required, paper documents and electronic media containing SSNs will be destroyed or disposed of using methods designed to prevent subsequent use or recovery of information. 

• SSNs will be released to entities outside SWOSU only where permitted or required by law or where approved by ECC. 

• SWOSU will limit access to records containing SSN, to those individuals requiring access as determined by job function. Individuals permitted access to SSN will be instructed on the appropriate handling and protection of this data by their management or designated representative. 

Procedure 

1. Approval: All approval requests for new and/or continued use of SSNs must be submitted to the SWOSU ITS department. It will be reviewed by ITS and the ECC. 

2. Conversion: Systems currently using SSNs as primary identifiers that do not fall under the exception section must convert to SWOSU ID number. Those needing a cross-reference file to perform the conversion will submit a Helpdesk Ticket. Do not send any data at this time; you will receive further instructions on how to transmit the file from IT personnel.  

3. Review: The ITS Office will conduct a regular review of all production systems authorized to use SSNs. 

4. Access & Transmission 

• SSNs are not to be transmitted over the network/Internet unless they are encrypted, or the connection is secure. 

• Departments that fall in the exception category must ensure that the SSNs are encrypted and are only stored on SWOSU-owned computer/servers. 

• Devices such as laptops, computers, PDAs, etc., that house SSNs must employ a whole disk encryption solution, such as that offered and owned by SWOSU. 

5. Responsibilities: All employees are tasked with keeping sensitive and personal information confidential. 

• All departments will be required to annually verify their access and usage of SSNs.  

• If your job requires you to view and/or update SSNs, ensure that the public and other unauthorized individuals cannot view your monitor. Secure your workstation from unauthorized use by locking your workstation when you step away from your desk and log off or shut down your workstation when you leave the office for the day. Properly dispose of any written SSNs by shredding the document. 

6. The SWOSU ITS department will maintain the ERP System. 

7. Please contact the SWOSU ITS Helpdesk for assistance with any of the preceding security measures. 

Related Laws, Regulations and Policies 

1. Federal: Privacy Act of 1974; Family Education Rights and Privacy Act (FERPA); Gramm-Leach-Bliley Act (GLB-A); and the Health Insurance Portability and Accountability Act (HIPAA). 

2. State: Oklahoma law: Title 74, Chapter 49, Section 3113.1, “Disclosure of Security Breach of Personal Computer Data - Notice to Owner or Licensee of Personal Data – Exception”; Oklahoma law: Title 74, Chapter 49, Section 3111, “Use Of Social Security Numbers By State Or Subdivisions Prohibited – Exceptions”; Oklahoma law: Title 40, Chapter 5, Section 173.1, “Employees' Social Security Numbers”; and Oklahoma law: Title 85, Chapter 2, Section 26, “Workers Compensation.” 

Exceptions 

While the collection and use of SSNs may be required for certain legal and business activities, approved use does not include retention of this information by departments without specific approval as required within this policy. Approved uses of the SSN by SWOSU, which may be limited to specific departments, are listed below. 

1. SWOSU Admissions Process: Information systems used by the SWOSU admissions process will be permitted to use SSNs 

2. Employment: SSNs are required for a variety of employment matters; such as proof of citizenship, tax withholding, FICA, or Medicare. 

3. Application and Receipt of Financial Aid: Students applying for student aid using the Federal Free Application for Student Assistance (FAFSA) are required to provide SSNs. Students must also provide SSNs when applying for student education loans. 

4. Tuition Remission: SSNs are required for state reporting of taxable tuition remission benefits received by eligible employees, their spouses, and dependents. 

5. Accounts Receivable Management: SWOSU maintains contractual agreements with accounts receivable management entities. These entities require SSNs to perform their activities for SWOSU. 

6. Benefits Administration: SSNs are often required for verifying enrollment, processing, and reporting on various benefit programs, such as medical benefits, health insurance claims and veterans' programs. 

7. IRS Reporting: SSNs are used for federally required reporting to the IRS. For example, SWOSU reports the value of all taxable and non-taxable scholarships and grants awarded to non-resident aliens to the IRS. 

8. The ITS Department is authorized to possess SSNs for law enforcement requests, internal investigations, and security breaches. 

Enforcement 

In accordance with the Southwestern Oklahoma State University Human Resources Confidential Information Policy, employees who violate this policy and its associated procedures may be subject to disciplinary action, up to and including dismissal. Unauthorized access or disclosure of legally protected information may result in civil liability or criminal prosecution. When appropriate, SWOSU may restrict a violator’s access to SWOSU resources pending further investigation of a possible violation of this policy. 

Contact Information 

Contact a member of the ECC if you suspect a breach of this policy, or with questions regarding these guidelines. 

Lori Boyd	Vice President for Administration & Finance	(580) 774-3731
Jonathan Clemmons	Assistant Vice President for Public Relations & Marketing	(580) 774-3063
Adam Johnson	Vice President for Student Services	(580) 774-3177
Patsy Parker	Vice President for Academic Affairs & Provost	(580) 774-3771
Chad Kinder	Assistant Vice President for Strategic Partnerships	(580) 774-3790
Garrett King	Executive Director for Institutional Advancement	(580) 774-3267
Dayna Hardaway	Assistant Vice President for Human Resources	(580) 774-3275
Dian Ray	Director of Information Technology Services	(580) 774-3271