Social Security Number Policy
Policy Information
Policy Owner: Executive Vice President and Vice President for Academic Affairs
Approved by: Executive Vice President and Vice President for Academic Affairs
Date Approved: 02/2000
Effective Date: 02/2000
Date Amended (most recent): 9/19/2022
Targeted Review Date: 9/19/2025
Contact: SSN@uillinois.edu
Purpose
The purpose of this policy is to:
- Reinforce awareness of the confidential nature of Social Security Numbers (SSNs);
- Minimize reliance on the use of SSNs for identification purposes;
- Require a consistent approach to protecting the confidentiality of SSNs throughout the University of Illinois System;
- Increase confidence that SSNs are handled in a confidential manner; and,
- Facilitate compliance with applicable state and federal laws.
Scope
This policy applies to all students and employees of the University of Illinois System, including the universities at Urbana-Champaign, Chicago, and Springfield; the System Offices; and the University Hospital and clinics (collectively, the “System,” individually “University” or “Hospital”).
Background
Consistent with the University of Illinois System Privacy Statement, the System collects and maintains confidential information relating to its students, employees, and other individuals associated with the System (including research subjects and healthcare recipients) and is dedicated to ensuring the privacy and proper handling of this information.
Statement of Policy
The University of Illinois System collects, uses, and stores SSNs only when necessary to conduct System business. Any collection, use, and retention of SSNs shall be in accordance with System policy and applicable law, including the Illinois Identity Protection Act, FERPA, HIPAA, and the Privacy Act of 1974.
Violations
Any employee or student who breaches the confidentiality of SSNs may be subject to disciplinary action or sanctions up to and including discharge or dismissal in accordance with System policies and procedures.
Procedures
SSN Coordinators
Each University and the System Offices will designate an SSN Coordinator. Each SSN Coordinator is responsible within their constituency for:
- Overseeing compliance with this policy;
- Providing support, guidance, and problem resolution for offices working with SSNs;
- Serving as an intermediary between System units and University Counsel when an opinion on the disclosure of SSNs is required or as otherwise needed;
- Reporting security/privacy incidents in violation of this policy to their respective IT Security/Privacy office;
- Communicating regularly to resolve differences in implementation procedures to promote uniformity and compliance across the System;
- Authorizing the use of SSNs in all electronic systems and applications; and
- Approving, in consultation with the Office of University Counsel, proposed new SSN disclosure statements or modifications to existing SSN disclosure statements, and arranging for them to be posted to the SSN Disclosure Statement webpage.
Collection, Use, and Storage of SSNs
SSNs may be used in the following ways:
- SSNs will be collected only when mandated or permitted by law and required for a legitimate University business purpose. In such cases, SSNs shall be stored as a confidential attribute associated with an individual.
- In cases where the University is permitted by law to request an SSN before providing a service, individuals will not be required to provide their SSN, verbally or in writing, at any Point of Service (as defined below), nor will they be denied access to those services should they refuse to provide their SSN. Individuals may, however, volunteer their SSN as an alternate means of locating a record.
- Subject to this policy and applicable law, System employees may use SSNs as needed during the execution of their duties, such as when a primary means of identification (e.g., a University Identification Number or “UIN”) is unavailable.
- Units seeking to collect, use, or store SSNs must receive explicit permission to do so from their University or System Offices SSN Coordinator. Business cases supporting such requests must include the legal or functional requirements for using the SSNs, detailed descriptions of the security precautions planned for any systems and/or applications processing SSNs, and how the unit is prepared to cover the costs of any potential data breach.
- Units authorized to collect, use, or store SSNs must restrict access to SSNs to only those who need access to the SSNs to perform their System duties. Units should require employees accessing SSNs to sign nondisclosure agreements, information security agreements, or similar forms.
- All System forms and documents (whether electronic or paper) and electronic applications that collect SSNs will use the applicable language included on the SSN Disclosure Statement webpage and will indicate whether the request is voluntary or mandatory as determined by applicable law or university policy and confirmed by the relevant SSN Coordinator in consultation with the Office of University Counsel. In addition, the System will provide upon request the relevant statement from the SSN Disclosure Statement webpage indicating the purpose or purposes for which the System is collecting and using the SSN.
- SSNs will not be used to post grades or other pieces of personal information.
- SSNs will not be used in whole or in part as a temporary or permanent passcode or PIN to access a website or for other electronic access requirements.
- Units authorized to collect, use, or store SSNs must notify their SSN Coordinator should their use of SSNs no longer be necessary.
- Paper and electronic documents containing SSNs, including unencrypted and unsecure emails received from individuals, will be disposed of, or stored in a Secure Fashion, as defined below.
Transmission and Disclosure of SSNs
SSNs will be electronically transmitted only through methods approved for transmission of high-risk data in the relevant University’s IT Security Program. Consistent with those programs, individuals will not be required to transmit their SSNs over the Internet unless the connection is secure, or the SSN is encrypted.
SSNs will be disclosed by the University to outside entities only when permitted or required by law or when permitted by the individual.
Before disclosing SSNs to a contractor, subcontractor, or agent, the System must first receive a copy of the contractor’s, subcontractor’s, or agent’s policy that sets forth how the contractor, subcontractor, or agent will comply with the provisions of the Illinois Identity Protection Act applicable to the System. Outside entities acting as the System's contractor, subcontractor, or agent must, to the satisfaction of the University unit contracting with them, have adequate security measures in place to prevent unauthorized dissemination of SSNs to third parties.
SSNs requested from individuals will be placed in a manner that allows them to be easily redacted if the record in which they are contained is required to be released as part of a public records request.
Definitions
Point of Service - a physical or electronic interaction between the System and its employees, students, or other individuals, during which the System provides physical, educational, informational, or electronic services to the individual.
Secure Fashion – In the context of the destruction of paper and electronic documents, this refers to a method that defeats attempts of theft and unauthorized viewing, e.g., the shredding of documents containing SSNs and the use of “confidential” recycling bins. For electronic documents, this refers to the storage of SSNs on devices protected by university-provided credentials and encrypted at rest using a university-approved encryption mechanism.
Training
So that employees having access to SSNs understand the importance of protecting the confidentiality of SSNs, each University will provide regular security awareness training on handling high risk data, which includes SSNs. The training should include instructions on proper handling of information that contains SSNs from the time of collection through the destruction of the information.
Forms, Tools, and Additional Resources
University Identification Numbers
SSN Policy Administration and SSN Coordinators
SSN Disclosure Statement webpage
Illinois Identity Protection Act
Website Address for this Policy
Social Security Number Policy