Social Security Number Policy

Please click here to download this document in Adobe Acrobat .pdf format.

Reason for Policy

Purdue University Calumet is dedicated to ensuring the privacy and proper handling of Social Security Numbers (SSNs) of its students, employees, and individuals associated with Purdue Calumet. The primary purpose of this Social Security Number policy is to ensure that the necessary procedures and awareness exist so that Purdue Calumet employees and students comply with both the letter and the spirit of FERPA and Indiana Code Title 4 Article 1 Chapter 8 — State Requests for Social Security Numbers, as amended from time to time. SSNs have been used in Purdue Calumet systems to uniquely identify students and employees and to permit students and employees to gain access their own confidential information in Purdue Calumet systems. As systems are updated and replaced, the reliance on SSNs will be reduced, as more fully explained in this policy.

This policy is guided by the following objectives:

• Broad awareness of the confidential nature of the SSN.
• Reduced reliance upon the SSN for identification purposes.
• Increased emphasis on secure use, transmission, and storage of the SSN throughout the Purdue systems.
• A consistent policy toward and treatment of SSNs throughout Purdue Calumet.
• Increased confidence by students and employees that SSNs are handled in a confidential manner.

Statement of Policy

It is Purdue Calumet’s intent to protect the SSN of its students, staff, and faculty to minimize the growing risks of identity theft.

Accordingly, the SSN may not be used as a common identifier or used as a database key in any electronic information system. The SSN may be collected and used when necessary for employment records, financial aid records, and a limited number of other business and governmental transactions, as required by law.

Purdue West Lafayette will assign a Purdue University Identifier (PUID) and other credentials, like a password or a digital certificate, to an individual upon initial association with Purdue Calumet for identification and authentication, in order to eliminate the use of the SSN wherever possible.

Pursuant to Purdue University policy the following regulations apply to Purdue Calumet:

• All new systems purchased or developed by Purdue Calumet will not use SSN as identifiers except where such use is specifically permitted or required under this policy. Such systems should not visually display the SSN on any system output, including monitors and printed forms, unless required by law or required by Purdue Calumet as needed in execution of its duties.
• Each individual associated with Purdue will be assigned a PUID that is not the same as, or based upon, the individual’s SSN or other unique demographic information.
• No new system or technology, where the SSN is a consideration, will be developed or purchased by Purdue Calumet unless it is compliant with this policy or approved by the assigned SSN Administrator as an exception
• All Purdue Calumet forms and documents that collect SSNs will use the appropriate language to indicate whether request is voluntary or mandatory.

In accordance with Indiana Code Title 4 Article 1 Chapter 8, or any successor legislation thereto, unless Purdue Calumet is legally required to collect an SSN, individuals will not be required to provide their SSNs verbally or in writing at any Point of Service, nor will they be denied access to those services should they refuse to provide an SSN. However, individuals may volunteer their SSNs if they wish as an alternate means of locating a record.

Who Should Know This Policy

• Chancellor
• Vice Chancellors
• Deans
• Directors/Department Heads/Chairs
• Principal Investigators
• Business Office Staff
• Administrative and Professional Staff
• Clerical and Service Staff
• All Employees
• Graduate Students
• Faculty
• Visitors
• All others with access to Purdue Calumet IT Resources

Procedures

Purdue Calumet will assign an administrator the responsibility of overseeing SSN usage on the Purdue Calumet campus. The Purdue Calumet SSN administrator will control the SSN, and their prior written approval will be required to use the SSN in any new electronic system, or to use the SSN in any modifications to an existing system. Purdue Calumet is free to choose an SSN Administrator who best fits its individual administrative model. The assigned SSN Administrator will maintain the list of approved exceptions for his or her campus.

The Provost or Executive Vice President and Treasurer will appoint the System-Wide Coordinating Officer for system-wide issues. The System-Wide Coordinating Officer shall have the ultimate responsibility and authority over decisions and the application of this policy for all Purdue Campuses.

PUID Assignment

A University wide PUID will be assigned to all students, employees, alumni, and other associated individuals, such as contractors or consultants. This PUID will be assigned at the earliest possible point of contact between the individual and the University. Except as permitted herein, the PUID will be used in all future electronic and paper data systems to identify, track, and service individuals associated with the University. The PUID will be permanently and uniquely associated with the individual to whom it is originally assigned.

• The PUID will be considered the property of Purdue University, and its use and governance shall be at the discretion of the University, within the parameters of the law.
• The PUID will be a component of a system that provides a mechanism for both the identification of individuals and a method of authentication. Except as specifically provided herein, all services rendered by Purdue Calumet and electronic business systems will rely on the identification and authentication process provided by this same system.

SSN Usage

Grades and other pieces of personal information will not be publicly posted or displayed in a manner where either the complete PUID or SSN, or partial PUID or SSN, are used to identify an individual.
In all new systems, SSNs will be transmitted electronically only through encrypted mechanisms.

Paper and electronic documents containing SSNs will be disposed of in a Secure Fashion in accordance with data-handling requirements, as defined by the administrative data owners.

SSNs will be released by Purdue Calumet to external entities only:

• As allowed or required by law; OR
• When permission is granted by the individual; OR
• When the external entity is acting as Purdue Calumet’s contractor or agent and adequate security measures and agreements are in place to prevent unauthorized dissemination to third parties.

The SSN may continue to be collected and stored as a confidential attribute associated with an individual. The SSN will be used as:

• Required by law;
• A method to identify individuals for whom a PUID has not been created and not used for other internal processes; and
• A means to uniquely identify an individual for PUID assignment.

Phased Compliance Strategy

Purdue Calumet will adopt a Phased Compliance Strategy for its existing systems. All Schools, Departments, Divisions, and Business Units are strongly encouraged to complete the required system and process modifications to comply with this policy as soon as reasonably possible. Given the scope of process, system, and data changes required, a comprehensive compliance plan will be developed by the SSN Administrator at Purdue Calumet.

Compliance

SSN Administrator at Purdue Calumet will be responsible for the development of an implementation plan to monitor compliance with this policy.

An employee, student, volunteer, representative, contractor, or any other agent of Purdue Calumet who has substantially breached the confidentiality of SSNs may be subject to disciplinary action or sanctions up to and including discharge or dismissal, in accordance with Purdue Calumet policy and procedures.

For new and existing business needs unable to comply with these policy requirements, the formal SSN Policy Exception Form must be approved by the IT Security and Privacy organization at Purdue West Lafayette, the Purdue Calumet SSN Administrator, and the System-Wide Coordinating Officer.

Responsibilities

History

Supersedes: Requesting Social Security Numbers for Educational, Employment, and Other Record-Keeping Purposes (B-54).

Forms

In support of this policy, the following forms are included:

Related Documents

The following documents provide further information related to FERPA and the Privacy Act of 1974:

• http://www.ed.gov/offices/OM/fpco/ferpa/index.htm
• http://www.usdoj.gov/foia/privstat.htm

The following document provides information on Indiana Code Title 4 Article 1 Chapter 8 — State Requests for Social Security Numbers:

• http://www.in.gov/legislative/ic/code/title4/ar1/ch8.html

The following documents provide information on the security requirements for handling information developed by the appointed administrative data owners:

• http://www.itap.purdue.edu/security/policies/procedures/dataClassif.cfm
• http://www.purdue.edu/policies/pages/information_technology/c_34.html
• http://www.purdue.edu/Business/Executive_Memoranda/VPBS/bom180.htm

Contacts

Glossary