FAQs
What is the Identity Theft Protection Committee (ITPC)?
What is the Policy on SSN and PII?
What is the Standard on SSN and PII?
Will the new policy eliminate the use of SSN on the campus?
There are SSNs on documents that we currently store. What should we do with such documents?
How do I know if I have electronic data that contain SSN?
How do I or my department request to use, collect, store or disclose SSN?
What is the SSN online survey?
Do we have to have all new forms printed using ECU ID instead of SSN? We can't afford that.
We have collaborators in our department. Since they aren't employees, are they covered by this policy?
How do I dispose of information with SSN data stored on paper copies?
How do I dispose of data containing SSN stored on a computer?
How do I delete SSN data stored on CD-ROM or DVD-ROM disks?
How do I delete SSN data stored on removable media (e.g., floppy disk, Zip disk, tape)?
Who do I ask for advice on deleting data securely?
How do I encrypt SSN data that I store or transmit?
What is the Identity Theft Protection Committee (ITPC)?
During the 2005 legislative session, the General Assembly enacted the North Carolina Identity Theft Protection Act (the “Act”) http://www.ecu.edu/itsecurity/Identity-Theft-Act.cfm. The Act imposes new restrictions upon the collection and segregation of Social Security Numbers (“SSNs”), and upon the disclosure and security of SSNs and other personal identifying information1 (“PII”). In order to implement the requirements of the Act, East Carolina University (the “University”) has established the Identity Theft Protection Committee (“ITPC”) to oversee the compliance of the University with respect to the collection, segregation, disclosure, and security of SSNs and PII and the development of related policies. Click here for ITPC members.
What is the Policy on SSN and PII?
It is a University policy that states that SSNs and PII may only be collected, used, and/or disclosed by ECU and its employees and agents as permitted by applicable law and university policy and only in furtherance of legitimate university business. It sanctions the ITPC and governs its review and approval of the use of SSNs and PII for the University.
What is the Standard on SSN and PII?
It is a University standard that provides specific actions that ECU employees and its agents should take in regard to the collection, use, and/or disclosure of SSNs and PII. Please visit www.ecu.edu/ssnresource to review the SSN and PII Standard.
Will the new policy eliminate the use of SSN on the campus?
No. Although the university is working to minimize the use of Social Security Numbers (SSNs) to the greatest degree possible, there are still instances in which SSNs will be required, such as in financial aid forms or in filling out employment forms. For most operations, the ECU ID should be all that is required to submit to conduct your business with the university, but on some forms SSN is still required. The request for SSN must be accompanied by a disclosure statement explaining how the SSN will be used.
There are SSNs on documents that we currently store. What should we do with such documents?
We recognize that older documents and files exist that include SSN. It's not practical to remove the SSN from these documents and accordingly other safeguards must be in place to protect that information. Paper copies must be kept locked and inaccessible to unauthorized users. Electronic copies must be moved to secure storage and/or encrypted. The Identity Theft Protection Committee (ITPC) is currently conducting an online survey to determine where SSN is collected, used, stored and disclosed. Indicate on your SSN online survey that you store this type of data and an ITPC representative will contact you to recommend the best solution for your situation.
How do I know if I have electronic data that contain SSN?
Consider the type of data that you handle. Do you have old student course rosters, I9 forms, timesheets, Performance Evaluations or other personnel documents? Much of the data containing SSN or other PII may no longer be used, but still resides on your computer. Conduct an assessment of your data to determine if it is still required (follow records management guidelines). If data is no longer required, delete such data. Submit a service request to the University Helpdesk to request assistance on determining if you have data that contains SSN.
How do I or my department request to use, collect, store or disclose SSN?
If you have a legitimate business need to collect, use, store or disclose SSN, send an email request to ITPC@ecu.edu and a representative will contact you concerning your request.
What is the SSN online survey?
Every departmental chair, dean or director should have received a letter from the ITPC requesting that you complete an online survey indicating if you collect, use, store or disclose SSN. If you have not received the survey, please contact your department head or send an email request to ITPC@ecu.edu.
Do we have to have all new forms printed using ECU ID instead of SSN? We can't afford that.
Forms need not be reprinted but changes should be implemented when existing supplies of forms are exhausted. If you no longer request SSN but ECUID, you must write-in ECUID where SSN is printed. If you have requested the ITPC review and approve the use, collection, storage and disclosure of SSN and received that approval, please attach the disclosure notice that appears under the forms section of the www.ecu.edu/ssnresource web page. You also must ensure that you physically secure any forms with SSN on them.
We have collaborators in our department. Since they aren't employees, are they covered by this policy?
Yes, since they may be performing some of the same duties as employees, they are subject to the same policies.
How do I dispose of information with SSN data stored on paper copies?
Ensure you follow the University’s record retention policy prior to disposal. If copies should be disposed, use a crosscut shredder or a certified shredding service.
How do I dispose of data containing SSN stored on a computer?
Using the DELETE button on your computer does not really delete data from your hard drive; it deletes the entry in the hard drive’s record of the physical location of the data. You must use an approved data deletion program to delete the data by overwriting it with random characters at least 7 times (Department of Defense standard for secure data deletion). If the computer is destined for surplus using established University procedures, this procedure is already performed on all hard drives before they are submitted for surplus.
How do I delete SSN data stored on CD-ROM or DVD-ROM disks?
The disk must be destroyed, whether in a disk shredder or by breaking the disk into small pieces. Scratching the surface of the disk does not destroy the data stored on the disk.
How do I delete SSN data stored on removable media (e.g., floppy disk, Zip disk, tape)?
There are two removal options:
1) You must use an approved data deletion program to delete the SSN data by overwriting it with random characters at least 7 times.
2)The media must be cut into small pieces. Contact the University Help Desk at http://help.ecu.edu or 328-9866 for assistance.
Who do I ask for advice on deleting data securely?
Contact the University Help Desk at http://help.ecu.edu or 328-9866.
How do I encrypt SSN data that I store or transmit?
It is imperative that you are authorized to store or transmit SSN. If you have not received approval for the use, collection, storage of disclosure of SSN, please email ITPC@ecu.edu for information. If you have been approved by the ITPC, contact the University Help Desk at http://help.ecu.edu or 328-9866 if you have questions on encryption.
