Scope
This policy applies to all departments, faculty, staff, and students at the College. Social Security Numbers are highly confidential and legally protected data. Geneseo is committed to protecting the privacy and legal rights of its community members and to protecting community members from identity theft, one of the fastest-growing crimes.
Policy Statement
The purpose of this policy is to:
- To protect the privacy and legal rights of the members of the College community.
- To generate broad awareness of the confidential nature of the Social Security Number.
- To reduce the use of the Social Security Number (including partial SSN) for identification purposes.
- To promote confidence by students and employees that Social Security Numbers are handled in a confidential manner.
Definitions
Policy
It is the policy at Geneseo that the use of the Social Security Number as a common identifier and the primary key to databases be discontinued, except where required for employment, financial aid, and a limited number of other business transactions.
Disclosure statements will be provided whenever a Social Security Number is requested, in compliance with the Federal Privacy Act of 1974.
- Control and approval of the use of Social Security Number in any electronic system or form is assigned to the Information Security team. Social Security Numbers should be collected only for the purpose of processing student loans, employment, and to meet other legal obligations. The collection, use, and dissemination of student SSNs or any part thereof for other purposes is strongly discouraged. For SSN access in Banner, a director or department head must submit a Banner Social Security Number Access Request Form. To request approval to use SSN on any other electronic system or to request SSN on a form (electronic or paper), a director or department head must submit a Social Security Number Request to Use Form.
- A Geneseo ID Number will be assigned to all students, employees, and associated individuals at the earliest point possible in the individual’s contact and association with the College. The Geneseo ID Number replaces the Social Security Number as the preferred common, unique identifier and key to Geneseo databases. Where possible, the Geneseo ID Number will be used in all future electronic and paper data systems to identify, track, and service individuals associated with the College.
- All forms on which persons are required to provide Social Security Numbers must contain or have appended to them a statement explaining the College request; e.g., the legal obligation on which the request is based, if there is one and the use that will be made of the Social Security Number.
- For example, on an employment form, the following text can be used: The Federal Privacy Act of 1974 requires that you be notified that disclosure of your Social Security Number is required pursuant to the Internal Revenue Service Code. The Social Security Number is required to verify your identity.
- If the Social Security Number is not required, but requested, the fact that supplying it is voluntary should be noted and the option of assigning a temporary, “dummy number” should be offered.
- For example, when SSN is voluntary, the following text may be used: The Federal Privacy Act of 1974 requires that you be notified that disclosure of your Social Security Number is voluntary and not required on this form. If you do not choose to disclose your Social Security Number, a temporary identification number will be generated for you.
- If the Social Security Number is not mandated by law, but is needed for a business purpose, e.g., in the early stages of the admissions process (e.g., to match standardized test scores such as SATs, ACTs, etc.), a disclosure statement of the following form may be used: The Federal Privacy Act of 1974 requires that you be notified that disclosure of your Social Security Number is not mandated by law, however, the College uses your Social Security Number to match your application credentials correctly and quickly.
- Except where the College is legally required to collect a Social Security Number, individuals will not be required to provide their Social Security Number, verbally or in writing, at any point of service, nor will they be denied access to those services should they refuse to provide a Social Security Number. However, individuals may volunteer their Social Security Number, if they wish, if the primary means for identification is unavailable.
- Social Security Numbers will be stored as a confidential attribute associated with an individual. They will be used as allowed and mandated by law.
- Social Security Numbers will not be publicly displayed on any list or roster.
- Encryption of Social Security Numbers is required between server and client workstations and whenever data are transmitted over public unsecured networks. Web applications transmitting SSN must use https encryption. Email must be encrypted if transmitting SSN over email is unavoidable.
- Paper and electronic documents containing Social Security Numbers will be handled, used, and disposed of in a proper fashion. Proper disposal is defined as any method that shreds the record before the disposal of the record; or destroys the personal identifying information contained in the record; or modifies the record to make the personal identifying information unreadable; or takes actions consistent with commonly accepted industry practices to ensure that no unauthorized person will have access to the personal identifying information contained in the record. For more information on handling private information, view Information Security Best Practices document.
- Records or reports containing SSNs or other confidential information will not be downloaded or stored on College or personal computers or other electronic devices that are not secured against unauthorized access. Devices storing SSN or confidential information must be encrypted.
- Social Security Numbers will be released by the College to entities outside the College only as allowed by law, when the individual grants permission, when the external entity is acting as the College’s contractor or agent and adequate security measures are in place to prevent unauthorized dissemination to third parties or when Legal Counsel has approved the release.
- Social Security Number breaches must be immediately reported to the Chair of the Information Security Program Team directly or by completing the Information Security Incident Reporting Form.
Compliance
An employee or student who has substantially breached the confidentiality of Social Security Numbers will be subject to disciplinary action or sanctions up to and including discharge and dismissal in accordance with College policy and procedures.
Violation may also result in criminal prosecution. It is a felony, punishable by up to 5 years in prison, to compel a person to provide a Social Security Number in violation of Federal Law.
Frequency of Review and Update
Every 3 years
Approval
Date of Approval