ADG08 Collection, Storage and Authorized Use of Social Security Numbers and Penn State Identification Numbers
Policy Steward:Vice President for Administration>
- Use of the Social Security Number
- Disclosure Statements
- Central Identification Repository (CIDR)
- Data Stewards
- Social Security Numbers Within Historical Records
- Security and Privacy of Social Security Numbers
- Penn State Identification Number (PSUID)
- PSUID and Penn State id+ Card
- Further Information
- Cross References
This Guideline provides amplifying information related to policy AD53, with regard to specific uses of Social Security Numbers (SSNs) and Penn State Identification Numbers (PSUID) within the University. This Guideline also establishes expectations around the collection and use of SSNs, which is sensitive data whose misuse poses privacy risks to individuals, and compliance and reputational risks to the University. It also calls on anyone associated with the University to inventory their online and offline SSNs and reduce these risks by: (1) eliminating the use of SSNs; (2) converting SSN to PSUID; (3) when necessary, truncating SSNs to capture and display only the last four digits; and (4) when the complete SSN is clearly necessary, ensuring strict security controls to protect the information.
This Guideline is applicable to all members of The Pennsylvania State University community including but not limited to faculty, staff, contractors and their respective agents. This Guideline is also applicable at all University locations and for all University operations, with the exception of the operations conducted at or as part of the programs of the Pennsylvania College of Technology. The Pennsylvania College of Technology has its own policy regarding the use of SSNs within its systems. However, its policy must provide compatibility with Student Financial Systems and IBIS (Integrated Business Information System), as necessary.
The information subject to this Guideline includes SSNs collected and maintained as part of University operations. For example, the handling of one's own SSN, or SSNs of family members, separate and apart from University operations is not subject to this policy, though many of the measures contained in this policy are recommended as a matter of best practice for such situations.
SSNs should not be used as a primary identifier in a University system. It is the responsibility of individuals subject to this Guideline to use best efforts to know and inventory where they are maintaining SSNs and to make best efforts to securely delete, convert, truncate, or secure such information.
The following outlines specific instances in which SSNs may be requested or required by University offices. In cases where a University office is collecting personally identifiable information for business purposes, to specifically include SSNs and other information classified as "High" pursuant to AD95, that office is required to protect this information at the appropriate classification, as specified in AD95, Information Assurance and IT Security and its corresponding standards. The primary uses and reasons for collecting a SSN should be limited and include the following:
- Enrollment: Those wishing to enroll in academic offerings at the University - both credit and non-credit - are required to provide a SSN for secondary identification purposes. IRS regulations require the University to request a SSN as a Taxpayer ID number for use in tax reporting. In addition, any student applying for Financial Aid must provide a SSN to the University. If a person enrolling in a University academic offering - credit or non-credit - refuses to provide a SSN, certain services, such as transcripts, enrollment verification, tax reporting, financial aid and other services may not be available to the individual, and the University cannot guarantee a complete academic record for the individual.
- Immigration Law: A SSN must be provided on I-9s, in accordance with the Immigration and Control Act of 1986 (IRCA), as overseen by OHR International Scholars and Faculty Visa Services (ISFVS). For students, SSN collection is required to meet INS regulations for international students under the purview of the Office of International Students.
- Employment: Any person employed by the University must provide a SSN as the taxpayer ID number as directed by the IRS. This includes all employees, including part-time and student employees. Providing the SSN is a condition of employment. Applicants for employment must also provide a SSN, if requested, for mandatory background checks.
- Employee Benefits: If required by a benefits provider, the SSNs of dependents may be collected to receive service. The University may also release an employee's SSN to benefit providers.
- Export Compliance: If required by the University Export Compliance Officer and/or the University Empowered Official(s), an SSN may be collected to document status as a U.S. Person under relevant U.S. Export Control Laws, Regulations and Guidelines.
- Payment for Personal or Professional Services: Any person providing services to the University as an independent contractor, invited speaker (honorarium) or research subject for which payment will be made, must provide a SSN as the taxpayer ID number, per IRS regulations. These taxpayer ID numbers will be stored in the accounts payable system as part of the vendor record.
- Planned Giving Donors: Donors participating in planned giving programs must provide a SSN as the taxpayer ID, per IRS regulations.
- University Police & Public Safety: Because the SSN is, and will continue to be, a primary identifier for law enforcement and criminal justice records, University Police & Public Safety has access to the SSN information in all systems. Suspects and defendants will be asked for their SSN because this is used as a personal identifier in criminal justice databases (e.g. FBI NCIC, criminal history records, etc.), on citation forms, on criminal complaints, and in local police databases.
The SSN may also be released to entities outside the University where required by federal or state law, regulation or procedure, or if the individual grants permission.
In addition, per University Policy AD53, University systems, regardless of the category of data maintained, must be scanned for Personally Identifiable Information (PII) using University-approved scanning procedures. Please see the following resource for specific guidance and direction as to current University approved scanning procedures.
It is strongly recommended that University offices adopt the use of a standard disclosure statement on forms requesting SSNs from prospective students and on forms where services are requested that require SSNs.
SSNs are secured in a Central Identification Repository (CIDR) with limited and encrypted (secure) access rights. Those offices that require the storage of SSNs within their systems rather than in CIDR must protect this data element as specified in AD95 and its corresponding standards. Crosswalk files that cross-reference PSUIDs to SSNs are prohibited with the exception of CIDR.
The data within CIDR is University data and will be available only to those authorized to view data within CIDR. The data within CIDR may not be used by any office for purposes of data mining.
In certain cases, collection of an individual's SSN may have additional privacy considerations (e.g. the information collected may only be used within the scope of the project for which it was collected). Those cases will be reviewed with the Privacy Officer to determine the appropriate handling.
The Corporate Controller's Office has assigned and designated Data Owners who are responsible for the control of PSUIDs, SSNs and other data elements in the Central Identification Repository (CIDR). Mandatory data elements are defined under the authority of the Vice Provost for Information Technology, and administered by the ITS Identity Services Unit, per University Policy AD80, Identity and Access Management (IAM).
SSNs may be a part of historical databases or imaged documents given past use as the primary identifier at the University. The University will make a good faith effort to convert all on-line databases and information containing SSNs to PSUIDs. Individuals subject to these guidelines should use best efforts to know and inventory where they are maintaining SSNs and to make best efforts to securely delete, convert, truncate, or secure such information.
An inventory and identification of SSNs should be conducted as follows:
- Inventory SSNs by reviewing hard copy documents, including reports from information systems that contain SSNs.
- Identify electronic files that contain SSNs on computers including files stored in applications and databases.
- Identify vendors, contractors, or agents with whom you are working or who work with SSNs of the University as part of a University sponsored activity.
In cases where complete SSNs are not necessary, and the retention of such information is not required, SSNs that have been identified should be addressed as follows:
- Securely destroy the information. Paper records may be securely destroyed by utilizing shredding services. Recycling of paper records containing SSNs is prohibited.
- Electronic information may be securely destroyed using secure individual file deletion or secure disk wipe utilities.
- Convert information to PSUID or other identifier.
- Collect, maintain, and display only the last four digits of SSN. Truncated SSNs, while still carrying some risk, are generally less harmful to individuals from a privacy perspective as compared to complete SSNs.
The University's Information Technology Services Office, Office of Information Security or local IT staff can be consulted when employing the above guidelines. Disposal of the records must be done securely and in accordance with Policy AD35, University Archives and Records Management. If, however, the database, record or document is subject to a litigation hold, please contact the Office of General Counsel before proceeding.
Securing Complete SSNs - In some cases, the maintenance of a complete SSN is necessary to comply with legal requirements or other business or IT processes that have not yet converted from SSN usage. In such cases, this sensitive data should adhere to the security standards, below.
If a SSN is collected for a student, employee, or other constituent, it will be stored as a private data element for that individual within the Central Identification Repository (CIDR) (with the exception of SSNs collected as taxpayer IDs within the IBIS accounts payable system, which will be stored as part of the vendor record). The University will take all necessary and reasonable precautions to protect the SSN for all individuals who provide it. Please note, however, that the SSN must be available to authorized University employees if required to complete the business of the University. Any storage of an SSN outside of CIDR must follow Policy AD95 and its corresponding standards for proper protections and, as an exception to policy, shall conform with the following requirements:
- SSNs should be stored on secure computers that meet the requirements of the University's Security Policies to ensure that documents containing SSNs are secured properly.
- Storage of SSNs on portable computing devices, USB drives, cell phones or any other mobile device is strongly discouraged. If storage is clearly necessarily, the data should be protected with encryption.
- Local departmental databases or spreadsheets containing SSNs, which are available through local servers or PCs, are not permitted unless properly secured as specified in Policy AD95 and its corresponding standards.
- Historical records containing SSNs in off-line storage, such as paper, tape, cartridge, fiche, microfilm or magnetic media may be maintained, but access to these off-line records must be limited and secure.
Need to Know Access - Access to SSNs must be restricted to individuals with a need to know for University functions to proceed.
Restrictions on Transmission - SSNs may not be sent over any network in plain text (unencrypted), including e-mail.
Use by Third Parties - SSNs will be released by the University to entities outside the University only when (1) permission is granted by the individual; (2) the external entity is acting as a University's contractor or agent and the University has made reasonable efforts to ensure that the entity has adequate security measures in place to protect the data from unauthorized access; (3) as approved by the Office of Internal Audit, the Office of General Counsel, the Office of Information Security, the Chief Privacy Officer, the Risk Management Office, and/or Procurement Services; and/or (4) as required by law.
A Penn State Identification Number or PSUID is assigned to individuals and is used as the primary identifier in the University's administrative and academic systems. The PSUID is a nine digit number, beginning with 9 in the following format: 9-XXXX-XXXX.
The following apply to all individuals assigned a PSUID:
- The PSUID is assigned to an individual and is used for all affiliations with the University. Efforts must be made to prevent assignment of multiple PSUIDs to the same individual.
- The PSUID for an individual will not be available to the general public, such as through the Penn State Directory.
- The PSUID may only be used in email or other correspondence within the University among appropriate University personnel and offices in performing their assigned duties, or in email or other correspondence sent directly to that individual. The PSUID should never be part of the subject line of an email or printed on the address label of written correspondence, and unless the full number is required (i.e., to notify an individual of his or her PSUID), only the last four digits should be used in the text of any such email or correspondence.
There are three major groups to whom PSUIDs are assigned - students, employees and other entities - and different guidelines apply to each.
- Students: A PSUID is issued to anyone enrolling in University academic offerings - including credit and non-credit instruction - that are recorded in Student Financial Systems. The PSUID is the identifier for individuals within University academic systems and will be available to appropriate University officials with a legitimate educational need for the records. Students will be required to provide the PSUID when requested to obtain access to services at the University.
NOTE: Under the Family Educational Rights and Privacy Act of 1974 (FERPA), the PSUID cannot be used to display a student's scores or grades publicly. This also precludes posting grades using only the last four digits of the PSUID.
- Employees: All University employees, including wage payroll, are issued a PSUID at the time of employment. The PSUID will be used to identify the individual within the Integrated Business Information System (IBIS) and other administrative systems. University retirees will also be assigned PSUIDs under this affiliation.
- Other Entities: There are other constituents associated with the University who may be issued a PSUID. These include, but are not limited to: alumni, donors, visiting scholars and "friends of Penn State." The Identity Authorities will determine when a PSUID may be issued for those falling into the "other entity" category.
Only after determining that an individual does not have an existing PSUID will a new PSUID be assigned. The Data Stewards authorize which areas of the University will have the authority to establish a PSUID for an individual, if one does not already exist. Assigning a PSUID will require certain minimum information about the individual as prescribed by the Data Steward. Those offices assigning PSUIDs must notify constituents of their new PSUID in a timely manner.
If multiple PSUIDs are issued to a single individual, or, if two individuals are issued the same PSUID, the University office discovering such errata must contact the Data Stewards and, after verification of the duplicate and/or multiple assignment, the records will be merged or separated and the individual or individuals involved will be notified of which PSUID will be valid in the future.
Any compromise or fraudulent use of a PSUID must be reported to the Privacy Office upon discovery. If an assigned PSUID has been compromised and used fraudulently, a new PSUID number may be issued by the ITS Identity Services Unit. Questions regarding the policy or its interpretations with respect to PSUID are subject to the review and approval of the Privacy Office.
The PSUID is printed on the Penn State id+ card so that individuals have a permanent record of their PSUID for reference purposes. Individuals issued id+ cards will be expected to keep the card secure. The id+ Card has a brief disclosure statement on the back of the card regarding the individual's responsibility for keeping the card and the PSUID secure. If an id+ card must be replaced, the PSUID will remain the same, but a new id+ card number will be issued.
Policy AD24 governs the issuance of id+ cards. Please note that not all individuals assigned a PSUID will receive an id+ card.
For questions, additional detail, or to request changes to this guideline, please contact the Privacy Office.
Other Policies should also be referenced, especially:
AD11, University Policy on Confidentiality of Student Records
AD22, Health Insurance Portability and Accountability Act (HIPAA)
AD24, Identification Cards
AD35, Archives and Records Management
AD95, Information Assurance IT Security
Effective Date: February 22, 2016
Date Approved: February 22, 2016
Date Published: February 22, 2016
Most recent changes:
- September 21, 2017 - Editorial changes to align with Policy AD95.
Revision History (and effective dates):
- February 22, 2016 - New Guideline. This Guideline, in conjunction with updates to Policy AD53, will replace policy AD19, Use of Penn State Identification Number and Social Security Number.