Illinois Identity Protection Act (IPA) Awareness

Social Security Numbers at the University of Illinois (UI) and the Illinois Identity Protection Act (IPA)

Introduction:

The Identity Protection Act (5 ILCS 179) (IPA) is an Illinois state law that became effective June 1, 2010, seeking to control the collection and use of Social Security Numbers by state and local government agencies. The Act specifically prohibits certain uses of Social Security Numbers at public institutions and agencies, creates collection and protection requirements, and also requires state agencies (such as the University of Illinois) to enact an identity protection policy for public view and for employees working with Social Security Numbers (SSNs).

As part of the Act, the State requires that all employees who have access to Social Security Numbers in the course of performing their duties be trained to protect the confidentiality of Social Security Numbers from the time of collection through the destruction of the information. Early in the year 2000, the University of Illinois (UI) adopted a formal policy related to the collection, maintenance, and distribution of Social Security Numbers. The UI Social Security Number Policy (including detailed information pertaining to the IPA) is online at the University's SSN website.

Employees with Access to Social Security Numbers (SSNs):

Employees required to use SSNs and/or work with documents that include SSNs must be authorized to have access to them by their Dean, Director or Department Head (DDDH) or designee. In accordance with University data classification guidelines, SSNs are High Risk data whether collecting, using, or destroying them.

The University's SSN website provides detailed information for handling SSNs. If you have any questions, concerns, and comments on handling SSNs, please send email to the University's SSN Coordinators.

Activities Prohibited by the Illinois IPA:

NO person, or state or local government agency may do the following:

Publicly post or display an individual's Social Security Number
Print an individual's SSN on any card required for the individual to access products or services
Require an individual to transmit his or her SSN number over the internet, unless the connection is secure or the SSN is encrypted
Print an individual's SSN on any materials mailed to the individual (through USPS or electronic mail) unless:
1. State or federal law requires the SSN to be on the mailed document
2. The document is part of an application or enrollment process and the SSN is included to establish, amend or terminate an account, or to confirm the accuracy of that SSN
3. The SSN is not visible without opening the envelope
Require an individual to use her SSN to access a website
Use the SSN for any purpose other than the purpose for which it was collected

Rules (and Exceptions) For Collection of Social Security Numbers

Under the Act, SSNs may NOT be collected, used, or disclosed unless:

Required to do so by state or federal law, or the collection, use, or disclosure is otherwise necessary for the performance of the agency's duties and responsibilities
The need and purpose for the SSN is documented BEFORE the collection
The SSN number that is collected is actually relevant to the documented need and purpose

Those requirements have several exceptions:

SSNs may be disclosed to employees, agents, contractors or subcontractors of a governmental entity, or disclosed to another governmental entity in order for the performance of duties and responsibilities, AND as long as the person receiving the disclosed information has given to the original government entity a copy of their policy that explains how the recipient will comply with the Identity Protection Act.
SSNs may be disclosed pursuant to a court order, warrant or subpoena.
Collection and disclosure of SSNs can take place in order to ensure the safety of state and local government employees.
SSNs may be collected, used, and disclosed for internal verification or administrative purposes.
SSNs may be collected, used, and disclosed in order to locate a missing person, a lost relative or a person who is due a benefit.

Public Inspection and Copying Requirement

If the state agency collects Social Security Numbers and uses them on forms/documents that might be subject to public inspection and copying (e.g., FOIA requests), then the state agency must redact the Social Security Numbers BEFORE the public inspection and copying takes place.

Prohibition Against Embedding of Social Security Numbers

Under the Act, Social Security Numbers may not be embedded in cards or other devices through chip, magnetic strip, RFID, or other technologies. For example, an employee's SSN cannot be stored on the magnetic strip found on an i-Card.

Guidelines for Protecting SSNs

Social Security Numbers are classified as high risk data and need to be protected through the life cycle. Below is a short list of concerns / guidance for handling SSN data.

Creation

- If collecting SSNs, do you have an approved disclosure statement?

When requesting the SSN, you need to explain: 1) whether submission is mandatory or voluntary; 2) by what authority the number is solicited; and 3) what uses will be made of it. All disclosure statements must be approved by the UI SSN Coordinators.

- Is the data being created in a secure location?

SSNs need to be restricted to only the individuals that are approved to have access to them.

- Are you creating multiple copies?

Using a shared copy is preferred over keeping separate copies.

- Do you really need to copy the data or is access sufficient?

Transfer

- Are you transferring the data securely?

Box.com is NOT approved for the storage or sharing of SSNs or other high risk data.
PEAR allows secure transfer of data between individuals using the University's Enterprise Authentication Service (EAS).
Xferprod is an enterprise secure file service to transfer in/out of the University as well as between environments within the University.
The University recently established the capability to issue official University certificates (i.e., InCommon / Comodo Personal Certificates) that can be used for encrypted email with others.

- Are you authorized to transfer the data?

SSNs cannot be released outside of the University without the consent of the UI SSN Coordinators. The exception is the release to governmental bodies with an explicit legal right to SSNs, such as the IRS.

- Is the person who is receiving the data authorized to have it?

SSN data should only be delivered to an approved individual, not sent generically to an organization or unit. Store

- Can your document be protected with a password?

Many applications provide the ability to use a document-specific password to restrict access, however this is not sufficient for exchanging information over email.

– Secure data so only authorized people can access it

Paper documents should be stored in locked cabinets when not in use.
Electronic files should be restricted to smallest number of people possible through access controls.

– Encrypt data (especially on portable devices)

SSNs and other high risk data are not to be stored on portable devices without encryption.
Where possible, encrypting SSNs stored in files and databases is preferred.

Delete

– Paper documents with sensitive information should be shredded using a cross-cut shredder.
– Securely erase data on digital media

All data on magnetic media must be rendered unreadable before being transferred between individuals or units within the University, to third-parties for equipment trade-in or warranty work, or before being transferred to University Surplus for recycling.
For additional details please see https://wiki.cites.uiuc.edu/wiki/display/ITStandards/Disposal+of+Digital+Media+Standard

Additional Guidance:

The Urbana campus provides training on working with sensitive data. Additional information can be found at https://security.illinois.edu/content/sensitive-data-orientations

Contact for Questions:

Please send questions, concerns, and comments to the UI SSN Coordinators.