Policy on the Digital Use of the Social Security Number
The Social Security Number (SSN) is a nine-digit number issued to U.S citizens, permanent residents, and temporary (working) residents under the Social Security Act. Its original purpose was to maintain individual records on federal taxes and benefits. Over the years, the SSN often became a de facto identification number, leading to increased identify theft. That risk was compounded by the expansion of the use of SSN in providing digital services. The University’s initiative to enhance SSN security is part of its ongoing commitment to protect individual privacy through, among other things, more effective data security practices on campus.
In the context of this policy, digital use of SSNs is defined as the storage, transmittal, or processing of SSNs using “University Information Technology” as defined by the Acceptable Use Policy (AUP).
Use of the SSN in digital form is permitted only under the following circumstances:
- As required to comply with relevant laws, or
- Where deemed essential to operations by an Officer of the University.
Uses of SSN qualifying under (2) must have supporting documentation filed with the University’s Chief Information Officer.
All SSNs in digital format that do not comply with the foregoing limitations must be immediately removed. If the function which the SSNs served is still required in order to perform a necessary business function of the University, then the SSNs should be replaced with ChicagoIDs.
When remediation is not immediately possible, the unit with operational or business responsibility for digital SSN usage (rather than the unit’s IT support) must submit documentation explaining the problem, the reason for the delay, and the plan for remediation to the appropriate Officer of the University, who will forward the information to the University’s Chief Information Officer for final approval. The “appropriate Officer of the University” should be determined by the context in which the SSN is used. For example, if the SSN is being used for financial reasons, the appropriate officer would likely be the Chief Financial Officer; if the SSN were being used in conjunction with patient data, the Vice President for Medical Affairs would likely be involved.
This policy applies to any use of SSN in the context of the Acceptable Use Policy (AUP). Appropriate use of the ChicagoID is defined in the Policy for Use of the ChicagoID . This policy should not be understood to limit any other privacy policies at the University, including, for example, those required by FERPA or HIPAA.
The following examples illustrate the range of permitted SSN usage in digital form:
- Preparing and submitting reports to the State or Federal government for tax, financial aid, or other legal reporting obligations and maintaining electronic records thereof;
- Correlating standardized assessments (such as the GMAT, MCAT, ACT, etc) with student records;
- As required under a contract with an external entity and approved by the appropriate Officer of the University; and
- IT Services’ Identity Management operation, which provides digital services to and managing digital records about persons associated with the University.
Policy Owner: tbarton