Regulations on the Use of Social Security Numbers

With the implementation of the Banner system, UNC Charlotte will start the migration from using social security numbers (SSNs) as primary personal identification numbers for students and employees to an alternate ID.

Even after the Banner system is in effect, there will still be legitimate uses of the SSN on campus. Therefore,University employees who have access to SSNs must comply with the following regulations both prior to and after the Banner system is implemented:

Employees

1. Supervisors must limit access to records containing SSNs to only those employees who need to use the numbers for the performance of their duties as University employees.
2. Supervisors of temporary employees must limit the level of access that those employees have to SSNs and must provide appropriate training regarding the sensitivity of SSNs to those temporary employees who are required to have access to SSNs.
3. All persons who have access to HRS, SIS, FRS or other electronic systems containing SSNs are required to sign a Confidentiality Agreement (under Employee tab in Banner Self-Service). Those departments and units that have access to HRS, SIS, FRS or other electronic systems containing SSNs are subject to internal audit.

 

Forms, Documents, and Records

1. Any forms that require a personal identifier must label that field as such and not as “social security number.” Exempt are forms on which the SSN must be used under applicable federal or state law.
2. SSNs may not be displayed on materials or documents that are widely seen by others, such as identification cards, badges, time cards, employee rosters, bulletin board postings, grade postings, websites, and other materials.
3. Documents that include SSNs must be stored in a secure place. When possible, records containing SSNs, including back-ups, should be protected during storage by encrypting the numbers in electronic records or storing records in other media in locked cabinets.
4. When possible, printed reports and other documents should not list SSNs; if SSNs need to be included in printed documents, such documents should be accessible only to individuals that require the information for the performance of their duties.
5. Printed documents that contain SSNs must be securely destroyed when they are no longer needed, or upon the expiration of their retention based on the applicable University records retention schedule.

 

Computers and the Internet

1. Electronic records containing SSNs may be stored only on University-owned electronic devices, and such devices must be secured against unauthorized access. Computer systems requiring the storage of SSNs should store them in a separate – if possible encrypted and password protected – data file.
2. Persons with access to HRS, SIS, FRS, or other electronic systems containing SSNs must take reasonable care to minimize the time that computer screens display SSNs and to shield computer screens displaying SSNs from those without a legitimate work-related reason to access the SSNs. Computer screens displaying SSNs should never be left unattended.
3. Information containing SSNs, or any part thereof (e.g., the last four digits of the SSN), may not be published on any University website.
4. Employees may not share passwords to computer systems that provide access to screens displaying SSNs.
5. No University employee may require individuals to use SSNs as passwords or codes for access to Internet websites or other services.
6. When computers are sent to surplus or transferred to another department, data containing SSNs must be destroyed (see University Policy 601.10, “Surplus Property Procedures,” and/or the ITS Procedures for Transferring a Computer to Another Person).
7. Users who borrow a University laptop computer for temporary use should ensure that any confidential information, including SSNs, that they may have stored on the computer’s hard drive in the course of such temporary use is removed before returning the computer to the University.

 

Mail and Email

1. No University employee may require individuals to send their SSNs over the Internet or by email for a University-related purpose, unless the connection is secure or the SSN is encrypted.
2. Printed documents containing SSNs should not be sent through the mail, except on applications or on forms when required by law. When sending applications or documents required by law to include SSNs through the mail, the SSN should not be revealed by an envelope window. Where possible, the SSN field on forms or applications should be left blank, and the individual filling out the form should insert the SSN before returning the form or application to the University.

 

Third Party Vendors

SSNs should not be disclosed to third parties external to the University except where required or permitted by law. When disclosing SSNs to third parties as required or permitted by law, such disclosure should be conditioned upon a written agreement that includes terms that:

1. Protect the confidentiality of the SSNs and prohibit the third parties from re-disclosing SSNs, except as required by law;
2. Require such third parties to use effective security controls on record systems containing SSNs;
3. Hold such third parties accountable for compliance with the terms imposed, including monitoring or auditing their practices; and
4. Indemnify the University against any claims related to the third party’s disclosure of the SSNs in violation of the terms of the agreement.

 

Inappropriate Disclosure

If a University employee discovers that SSNs have been disclosed inappropriately, and the individuals whose SSNs were disclosed are put at risk of identity theft or other harm, the employee must immediately notify ITS, which will work with the Office of Legal Affairs to ensure that those individuals are notified promptly.
Violation of University Policy

All employees who have access to SSNs should note that inappropriate use or disclosure of SSNs may constitute violation of University policy, including:

• University Policy 307, Responsible Use of University Computing and Electronic Communication Resources,
• University Policy 303, Network Security,
• University Policy 402, Student Records,
• University Policy 101.8, Personnel Records,
• University Policy 601.10, Surplus Property Procedures,
• University Policy 605.3, Retention, Disposition, and Security of University Records and
• University Policy 311, Data and Information Security.

Violation of any such policies may result in appropriate disciplinary actions.