This regulation applies to the collection, use, security and disclosure of social security numbers (SSNs) and Personal Identifying Information1 (PII) by East Carolina University (ECU) and the regulation of SSNs and PII.
1.1 PII is all "identifying information" as defined by NC Gen. Stat. § 14-113.20(b) and vehicle license plate numbers. "Identifying information" is defined by G.S. §14-113.20(b), as limited by NC Gen. Stat. §132-1.10 to include:
1.1.1 Social security or employer taxpayer identification numbers 1.1.2 Drivers license, state identification card or passport numbers 1.1.3 Checking account numbers 1.1.4 Savings account numbers 1.1.5 Credit card numbers 1.1.6 Debit card numbers 1.1.7 Personal Identification (PIN) Code as defined in G.S. 14-113.8(6) 1.1.8 Electronic identification numbers, electronic mail names or addresses, Internet account numbers or Internet identification names 1.1.9 Digital signatures 1.1.10 Any other numbers or information that can be used to access a person's financial resources 1.1.11 Biometric data 1.1.12 Fingerprints 1.1.13 Passwords 1.1.14 Parent's legal surname prior to marriage
2.3.1 Unless specifically authorized by the ITPC, no university entity or employee shall create a form or electronic template that requires or contains a SSN for any purpose. This prohibition includes the creation of databases, reports, internal spreadsheets or other documents that contain SSNs. SSNs will no longer be used as the university identifier. Requests for ITPC review and approval should be e-mailed, along with the form or template for which approval is sought, to ITPC@ecu.edu. 2.3.2 For approved forms and electronic templates used for the collection of SSNs, a disclosure statement compliant with the provisions of the State Privacy Act and UNC Policy 1300.5[G] must be used. Compliant template disclosure statements may be copied and pasted electronically by accessing the document entitled, Disclosure Statements for Collecting SSNs, online at www.ecu.edu/cs-itcs/ssnresource/.
Back to the top
2.5.1 Pursuant to law, university entities may not intentionally communicate or otherwise make available to the general public a person’s SSN or PII. SSN and PII are confidential. 2.5.2 Disclosures of SSN or PII to university vendors, contractors or other external entities must be reviewed and approved in advance by the ITPC. The vendor, contractor or external entity must complete a form certifying its compliance with applicable law. This form is available from the ITPC and may be accessed online at www.ecu.edu/cs-itcs/ssnresource/. Upon execution, departments must maintain a copy of this form in their files. The collection of SSNs or PII on behalf of or as requested by another state or federal government entity must be approved in advance by the ITPC. 2.5.3 If a court order, warrant or subpoena demanding the disclosure of SSNs or PII is served upon an ECU employee, that employee should immediately contact the Office of the University Attorney.
Requests for ITPC review, approval and disclosure of SSN or PII should be e-mailed to ITPC@ecu.edu.
2.6.1 University entities authorized by the ITPC to maintain SSNs or other PII must utilize security measures to protect this information. Proper security measures include but are not limited to locked filing cabinets and offices, password-protected electronic files, and electronic encryption measures. Guidelines for protecting SSNs are found at http://www.ecu.edu/ssnresource. 2.6.2 University entities and individuals not authorized by the ITPC to maintain SSN or PII, or which are not seeking ITPC approval, should immediately and properly delete and/or destroy SSNs and PII from every source, wherever located and in whatever form. Guidelines for deletion may be found at www.ecu.edu/ssnresource. 2.6.3 Except as otherwise approved by the ITPC, the storage of SSNs or PII on local computers, laptops, portable devices or home/personal computers and/or electronic devices is prohibited. 2.6.4 SSNs or PII may not be sent electronically (by e-mail or otherwise) unless such data is encrypted and only if SSN use is authorized by the ITPC. Guidelines on encryption may be found at www.ecu.edu/cs-itcs/itsecurity/DataEncryption.cfm. 2.6.5 SSNs may not be printed on any materials that are mailed to an individual, unless state or federal law requires that the social security number be on the document to be mailed. The mailing of materials that contain SSNs must be approved in advance by the ITPC.
Questions regarding these requirements may be e-mailed to ITPC@ecu.edu.
3.1 Pursuant to the State Privacy Act, ECU shall not deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his/her SSN except refusal to disclose after a request pursuant to the requirements of a statute. 3.2 All individuals from whom SSNs are solicited shall be informed of: 1) whether or not the requested disclosure is mandatory or voluntary; 2) by what statutory or other authority the SSN is being solicited; and 3) what uses will be made of the SSN.
4.1.1 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(1), SSNs shall not be collected from an individual unless authorized by law to do so or unless the collection of the SSN is otherwise imperative for the performance of ECU’s duties and responsibilities as prescribed by law. SSNs collected by ECU must be relevant to the purpose for which collected and shall not be collected until and unless the need for SSN has been clearly documented. 4.1.2 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(2),when collecting a SSN from an individual, the SSN must be segregated on a record in an appropriate manner that permits the SSN to be easily redacted in the event of a public records request.
4.1.3 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(3), ECU shall not fail, when collecting a SSN from an individual, to provide, at the time of or prior to the actual collection of the SSN, that individual, upon request, with a statement of the purpose or purposes for which the SSN is being collected and used. 4.1.4 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(4), ECU shall not use a SSN for any purpose other than the purpose stated. 4.1.5 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(5), SSNs and/or PII shall not be intentionally communicated or otherwise made available to the general public. SSNs and PII are confidential except where disclosure is otherwise permitted by law. 4.1.6 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(6), SSNs shall not be intentionally printed or embedded on any card required for an individual to access ECU services.
4.1.7 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(7), unless the connection is secure or the social security number is encrypted, an individual shall not be required to transmit his/her social security number over the Internet.
4.1.8 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(8), an individual shall not be required to use his/her SSN to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the Internet website. 4.1.9 Pursuant to N.C. Gen. Stat. § 132-1.10 (b)(9), SSNs shall not be printed on any materials that are mailed to an individual unless state or federal law requires the SSN to be on the document to be mailed. A SSN that is permitted to be mailed may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened. 4.1.10 Pursuant to N.C. Gen. Stat. § 132-1.10 (c)(1), SSN(s) and PII may be disclosed to another governmental entity or its agents, employees, or contractors if the disclosure is necessary for the receiving entity to perform its duties or responsibilities. The receiving governmental entity and its agents, employees, and contractors shall maintain the confidential and exempt status of such numbers. 4.1.11 Pursuant to N.C. Gen. Stat. § 132-1.10 (c)(2), SSNs and PII may be disclosed pursuant to a valid court order, warrant or subpoena. Please contact the Office of the University Attorney if a court order, warrant or subpoena is served. 4.1.12 Pursuant to N.C. Gen. Stat. § 132-1.10 (c)(3), SSNs and PII SSNs and PII may be disclosed for public health purposes pursuant to and in compliance with Chapter 130A of the General Statutes. 4.1.13 Unauthorized Access or Disclosure of SSNs and PII. Any time it is believed that SSNs and/or PII maintained by ECU have been subject to unauthorized access or disclosure by an unauthorized party, the incident should be reported immediately to the Information Security Officer.
The university is governed by the breach notification requirements of the HITECH Act. The Act requires the implementation of additional security controls to minimize the risk of data security breaches of PHI. SSNs, considered PHI under HIPAA Privacy rules are also subject to those additional security controls and thus use and storage of SSNs are further restricted. Please immediately contact the HIPAA Privacy and Security Officers, respectively, if you are aware of a possible breach involving PHI. Any questions related to the proper use and storage of SSNs and PII under HIPAA may also be so directed. Information can also be found on the ECU HIPAA website at www.ecu.edu/hipaa/.