ECU Regulation on Social Security Numbers (SSN) and
|History:||First Issue September 12, 2007
||July 20, 2012
||UNC Policy 1300.5[G]. Guidelines on Use of the Social Security Number by the University
|Contact for Info:||Amy Bissette Barber, Associate Registrar, 252.737.2281|
- NC Gen. Stat. § 132-1.10 (Social Security Numbers and other Personal Identifying Information)
- NC Gen. Stat. § 75-60 et seq. (Identity Theft Protection Act)
- NC Gen. Stat. § 14-113.20 Identity Theft
- NC State Privacy Act § 143-64.60
- Family Educational Rights and Privacy Act (FERPA)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA)
- Recovery Act of 2009
East Carolina University Policy
Social Security Numbers and Personal Identifying Information
This regulation applies to the collection, use, security and disclosure of social security numbers (SSNs) and Personal Identifying Information1 (PII) by East Carolina University (ECU) and the regulation of SSNs and PII.
1.1 PII is all "identifying information" as defined by NC Gen. Stat. § 14-113.20(b) and vehicle license plate numbers. "Identifying information" is defined by G.S. §14-113.20(b), as limited by NC Gen. Stat. §132-1.10 to include:
1.1.1 Social security or employer taxpayer identification numbers
1.1.2 Drivers license, state identification card or passport numbers
1.1.3 Checking account numbers
1.1.4 Savings account numbers
1.1.5 Credit card numbers
1.1.6 Debit card numbers
1.1.7 Personal Identification (PIN) Code as defined in G.S. 14-113.8(6)
1.1.8 Electronic identification numbers, electronic mail names or addresses, Internet account numbers or Internet identification names
1.1.9 Digital signatures
1.1.10 Any other numbers or information that can be used to access a person's financial resources
1.1.11 Biometric data
1.1.14 Parent's legal surname prior to marriage
2.1 General Statement
SSNs and PII may only be collected, used and/or disclosed by ECU and its employees and agents as permitted by applicable law and university policy and only in furtherance of legitimate university business.
2.2 Identity Theft Protection Committee (ITPC)
In order to implement and ensure compliance with legal requirements governing SSNs and PII (including, but not limited to those discussed in sections 3, 4, 5 and 6 of this regulation), ECU has established the Identity Theft Protection Committee (ITPC) to oversee the compliance of ECU with respect to the collection, segregation, disclosure and security of SSNs and other PII and the development of related policies. The ITPC is also responsible for approving the collection and use of SSNs and other PII in cases where the collection and use is not already directed or permitted by applicable state or federal law or directives. In all cases, including those where collection and use of SSNs and other PII are already directed or permitted by such higher authority, the ITPC is responsible for reviewing and approving the manner of collection, storage, and transmittal of SSNs and other PII to ensure that adequate controls are in place to protect the sensitive data. Membership in the ITPC shall include at least one representative from each university division, as well as other personnel who have specific expertise that is directly relevant to the committee (such as legal, FERPA, HIPAA, security, etc.). The divisional representatives shall be appointed by the Vice Chancellor of their respective division and have delegated authority to make recommendations and implement approved processes to maintain compliant use of SSN and PII within their respective division. A list of ITPC members is located on the ITPC website,www.ecu.edu/cs-itcs/ssnresource/.
2.3 Collecting Social Security Numbers
2.3.1 Unless specifically authorized by the ITPC, no university entity or employee shall create a form or electronic template that requires or contains a SSN for any purpose. This prohibition includes the creation of databases, reports, internal spreadsheets or other documents that contain SSNs. SSNs will no longer be used as the university identifier. Requests for ITPC review and approval should be e-mailed, along with the form or template for which approval is sought, to ITPC@ecu.edu.
2.3.2 For approved forms and electronic templates used for the collection of SSNs, a disclosure statement compliant with the provisions of the State Privacy Act and UNC Policy 1300.5[G] must be used. Compliant template disclosure statements may be copied and pasted electronically by accessing the document entitled, Disclosure Statements for Collecting SSNs, online at www.ecu.edu/cs-itcs/ssnresource/.
2.4 Segregating/Separating Social Security Numbers
Pursuant to law, each university entity that properly collects SSNs must segregate/separate SSNs from the rest of the record in some manner that permits SSNs to be easily redacted/removed in the event of a public records request. For example, if a department appropriately collects SSNs in a document or form, the SSN should be on a line by itself so that it can be easily redacted/removed without affecting public information on the document or form. SSNs shall not be included in header or footer information or as part of the document file name.
2.5 Disclosing SSNs and PII
2.5.1 Pursuant to law, university entities may not intentionally communicate or otherwise make available to the general public a person’s SSN or PII. SSN and PII are confidential.
2.5.2 Disclosures of SSN or PII to university vendors, contractors or other external entities must be reviewed and approved in advance by the ITPC. The vendor, contractor or external entity must complete a form certifying its compliance with applicable law. This form is available from the ITPC and may be accessed online at www.ecu.edu/cs-itcs/ssnresource/. Upon execution, departments must maintain a copy of this form in their files. The collection of SSNs or PII on behalf of or as requested by another state or federal government entity must be approved in advance by the ITPC.
2.5.3 If a court order, warrant or subpoena demanding the disclosure of SSNs or PII is served upon an ECU employee, that employee should immediately contact the Office of the University Attorney.
Requests for ITPC review, approval and disclosure of SSN or PII should be e-mailed to ITPC@ecu.edu.
2.6 Securing Social Security Numbers and Personal Identifying Information
2.6.1 University entities authorized by the ITPC to maintain SSNs or other PII must utilize security measures to protect this information. Proper security measures include but are not limited to locked filing cabinets and offices, password-protected electronic files, and electronic encryption measures. Guidelines for protecting SSNs are found at http://www.ecu.edu/ssnresource.
2.6.2 University entities and individuals not authorized by the ITPC to maintain SSN or PII, or which are not seeking ITPC approval, should immediately and properly delete and/or destroy SSNs and PII from every source, wherever located and in whatever form. Guidelines for deletion may be found at www.ecu.edu/ssnresource.
2.6.3 Except as otherwise approved by the ITPC, the storage of SSNs or PII on local computers, laptops, portable devices or home/personal computers and/or electronic devices is prohibited.
2.6.4 SSNs or PII may not be sent electronically (by e-mail or otherwise) unless such data is encrypted and only if SSN use is authorized by the ITPC. Guidelines on encryption may be found at www.ecu.edu/cs-itcs/itsecurity/DataEncryption.cfm.
2.6.5 SSNs may not be printed on any materials that are mailed to an individual, unless state or federal law requires that the social security number be on the document to be mailed. The mailing of materials that contain SSNs must be approved in advance by the ITPC.
Questions regarding these requirements may be e-mailed to ITPC@ecu.edu.
3. State Privacy Act (SPA) Restrictions
3.1 Pursuant to the State Privacy Act, ECU shall not deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his/her SSN except refusal to disclose after a request pursuant to the requirements of a statute.
3.2 All individuals from whom SSNs are solicited shall be informed of: 1) whether or not the requested disclosure is mandatory or voluntary; 2) by what statutory or other authority the SSN is being solicited; and 3) what uses will be made of the SSN.
4. North Carolina Identity Theft Protection Act of 2005 Restrictions
4.1 The North Carolina General Assembly enacted the North Carolina Identity Theft Protection Act in 2005 (NCIDTPA). The NCIDTPA imposed restrictions on the collection and segregation of SSNs and upon the disclosure and security of SSNs and PII as follows:
4.1.1 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(1), SSNs shall not be collected from an individual unless authorized by law to do so or unless the collection of the SSN is otherwise imperative for the performance of ECU’s duties and responsibilities as prescribed by law. SSNs collected by ECU must be relevant to the purpose for which collected and shall not be collected until and unless the need for SSN has been clearly documented.
4.1.2 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(2),when collecting a SSN from an individual, the SSN must be segregated on a record in an appropriate manner that permits the SSN to be easily redacted in the event of a public records request.
4.1.3 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(3), ECU shall not fail, when collecting a SSN from an individual, to provide, at the time of or prior to the actual collection of the SSN, that individual, upon request, with a statement of the purpose or purposes for which the SSN is being collected and used.
4.1.4 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(4), ECU shall not use a SSN for any purpose other than the purpose stated.
4.1.5 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(5), SSNs and/or PII shall not be intentionally communicated or otherwise made available to the general public. SSNs and PII are confidential except where disclosure is otherwise permitted by law.
4.1.6 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(6), SSNs shall not be intentionally printed or embedded on any card required for an individual to access ECU services.
4.1.7 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(7), unless the connection is secure or the social security number is encrypted, an individual shall not be required to transmit his/her social security number over the Internet.
4.1.8 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(8), an individual shall not be required to use his/her SSN to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the Internet website.
4.1.9 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(9), SSNs shall not be printed on any materials that are mailed to an individual unless state or federal law requires the SSN to be on the document to be mailed. A SSN that is permitted to be mailed may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.
4.1.10 Pursuant to N.C. Gen. Stat. § 132-1.10 (c)(1), SSN(s) and PII may be disclosed to another governmental entity or its agents, employees, or contractors if the disclosure is necessary for the receiving entity to perform its duties or responsibilities. The receiving governmental entity and its agents, employees, and contractors shall maintain the confidential and exempt status of such numbers.
4.1.11 Pursuant to N.C. Gen. Stat. § 132-1.10 (c)(2), SSNs and PII may be disclosed pursuant to a valid court order, warrant or subpoena. Please contact the Office of the University Attorney if a court order, warrant or subpoena is served.
4.1.12 Pursuant to N.C. Gen. Stat. § 132-1.10 (c)(3), SSNs and PII SSNs and PII may be disclosed for public health purposes pursuant to and in compliance with Chapter 130A of the General Statutes.
4.1.13 Unauthorized Access or Disclosure of SSNs and PII. Any time it is believed that SSNs and/or PII maintained by ECU have been subject to unauthorized access or disclosure by an unauthorized party, the incident should be reported immediately to the Information Security Officer.
5. Educational Rights and Privacy Act (FERPA) Restrictions
Student SSNs and PII maintained by ECU are education records pursuant to FERPA. As such, student SSNs and PII may not be disclosed except as permitted by FERPA. Generally, express written permission from the student is required for disclosure of this information to a third party. Please contact the University Registrar with questions.
6. Health Insurance Portability and Accountability Act of 1996 (HIPAA) Restrictions
SSNs are also considered "protected health information" (PHI) under the HIPAA Privacy Rules. As such, the use and disclosure of SSNs are subject to other restrictions under those rules and the ECU policies that govern the use and disclosure of PHI. Please contact the ECU HIPAA Privacy Officer with any questions related to the proper use and disclosure of SSNs and PII under the HIPAA Privacy Rules. Information can also be found on the ECU HIPAA website at www.ecu.edu/hipaa/.
7. Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) Restrictions
The university is governed by the breach notification requirements of the HITECH Act. The Act requires the implementation of additional security controls to minimize the risk of data security breaches of PHI. SSNs, considered PHI under HIPAA Privacy rules are also subject to those additional security controls and thus use and storage of SSNs are further restricted. Please immediately contact the HIPAA Privacy and Security Officers, respectively, if you are aware of a possible breach involving PHI. Any questions related to the proper use and storage of SSNs and PII under HIPAA may also be so directed. Information can also be found on the ECU HIPAA website at www.ecu.edu/hipaa/.