This policy governs the use of social security numbers (SSNs) at The University of Iowa and recognizes the use of the University ID (Univ ID) as the primary identification number for students and employees and any person with a recurring business relationship with the University. The University is committed to maintaining the privacy and confidentiality of an individual's SSN. Therefore, the use of the SSN as an identification number within the University shall be limited.
The Federal Privacy Act of 1974 and related amendments establish guidelines regarding state agency requests for the social security number. It is the duty of the University to inform individuals whether a given use of SSN is mandatory, the law or statute that specifies its necessity, its principal purpose(s), routine use, and the effects of not providing it. This policy provides guidelines on the proper use and disclosure of SSNs to ensure that those requirements are met.
b. The University will adopt a phased compliance strategy for all current administrative systems and campus applications with the goal of attaining complete compliance with this policy statement by June 30, 2008. Social security numbers are a part of many historical databases and imaged documents. In addition to compliance by June 30, 2008, all occurrences of SSNs in those databases and images must be reported using the process described below in II-36.4 Registration of Use of Social Security Numbers.
c. Grades and other student-related personal information will not be publicly posted or publicly displayed in a manner where either the SSN or Univ ID, or any portion thereof, identifies the individual associated with the information.
d. The University will take reasonable precautions to protect the privacy of the SSN for all individuals who provide it, but the SSN must be available to University employees when required to complete the business of the University.
(2) University units are responsible for protecting the confidentiality of data and information that may relate to students, patients, employees, and others served by the University community. Access to this information by University staff will be as required by job function and business necessity. Persons with such access will be required to sign a confidentiality agreement.
(3) Access to this information by non-University persons and entities will be governed by contractual agreements.
f. Paper and electronic documents containing SSNs will be stored securely; i.e., logical and physical security controls must be implemented to maintain confidentiality of SSNs stored electronically or printed.
g. Paper and electronic documents containing SSNs must be disposed of in a secure fashion, such as shredding. When SSN data is no longer needed, it should be removed from electronic files.
h. Social security numbers should not be used as an identifier in databases. Other identifiers, such as Univ ID or an application-specific identifier, should be used in place of the SSN.
i. SSNs will be released by the University to entities outside the University only:
k. Principles guiding the collection of SSNs include the following. All University forms and documents that collect SSNs will use such language to indicate whether the request is mandatory or voluntary.
(2) Students. Federal law requires students to use the SSN to apply for and receive financial aid. Federal law also requires that the University obtain and report to the Internal Revenue Service (IRS) the SSN for any person to whom compensation or financial aid is paid. The University also is required by federal law to report to the IRS the name, address, and SSN of any person from whom tuition and related expenses are received. The University will not disclose SSNs except where allowed by the Family Education Rights and Privacy Act (FERPA).
(3) Faculty and staff. The University is required by federal law to report income along with SSN for all persons to whom compensation is paid. Employee SSNs are maintained and used by the University for payroll, reporting, and benefits purposes and are reported to federal and state agencies in formats required by law or required for benefits purposes. The University will not disclose an SSN for any purpose not consistent with applicable law.
(4) Research subjects. Subjects will be asked to provide basic information including name, mailing address, and SSN. This information allows the University to meet government reporting obligations. Subjects may be given the opportunity to waive receipt of payments should they decline to provide identifying information. The University of Iowa Institutional Review Board requires this notification in the language of the consent form.
(5) Other. Clinical and patient systems within The University of Iowa may be required to use the SSN for billing and health care coordination purposes. When the SSN identifies protected health information, its use also is regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
36.4 USER RESPONSIBILITIES.
b. Any University employee storing SSN information on a computer that does not meet the requirements of this policy may be subject to disciplinary action consistent with II-19.5 Acceptable Use of Information Technology Resources: Administration and Enforcement.
c. All University computer systems, including local servers, desktops, laptops, or other storage devices, are subject to periodic assessment by the Information Technology Security Office to ensure appropriate protections are in place.
36.6 RELATED POLICIES.