Skip to main content
Indiana Wesleyan University Support Knowledge Base

In Process - PII-SSN Policy

Overview

Handling of SSN and PII information.

Purpose

Indiana Wesleyan University strives to ensure the proper handling of Social Security Numbers (SSNs) and personally identifiable information (PII) for its employees, students and associated individuals.  This is to protect the students, staff and faculty from the risk of identity theft.

Policy

The SSN is not to be used except when required/permitted by law.  Instances where only the last 4 digits of SSN are stored or transmitted to verify an identity are acceptable.  Note:  Individuals shall not be required to give their SSN, in writing or verbally.  The SSN will be used where necessary for employment  and financial aid records.  IWU has implemented role-based access control regarding the complete 9 digit SSN numbers.  A security group has been created to allow only a selected group to view the complete SSN  necessary to complete their jobs.  Immediate supervisors can request this access for individuals.

Personally identifieable information is not to be used except when required/permitted by law.  Personally identifiable information includes social security numbers, passport number, driver’s license number, taxpayer identification number , dates of birth and place of birth, maiden name or mother’s maiden name, personal financial account numbers, and home addresses of students or individuals. Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g. Retina san, voice signature, facial geometry) are included.

Definition of policy...

Scope

This policy will affect all employees

Primarily offices that deal with the entire unredacted SSN number including HR, Financial Aid, Admissions, Registration (both CAS and CAPS)

Owners and Approvers

Chief Information Officer

Chief Financial Officer

History

17-Oct-2017 - Draft policy reviewed - Not yet in effect

21-Mar-2012 - This policy is a draft and is not yet in effect.

Policy Information

Employee Policy

Reference

The Privacy Act of 1974, 5 U.S.C. § 552a (2000)

Government Accountability Office (GAO) Report 08-343

NIST SP 800-122  Guide to Protecting the Confidentiality of Personally Identifiable Information

http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

 

 

Additional Remarks

It is against policy to....

Post or display the SSN

Require an individual to transmit an SSN unless the connection is secure.

Transmit the SSN in email unless encrypted.

Email SSN to outside parties wihout protecting it.

Permit an unatuorized individual access to SSN data

We advise against:

Collecting, storing or processing SSN information without a justified need

Transmitting unencrypted SSN info over public networks

Retention of this data beyond useful life

SSN elemination is stressed for business processes.

Archived paper records should be destroyed if feasible.  If they need to be retained ensure that theya re stored securely.

Storing SSN without encryption

.

 

UndefinedNameError: reference to undefined name 'isPrivateBadge' (click for details)
Callstack:
    at (Forms_and_Procedures/Policies/Policy_Drafts/Development_Stage_Policies/In_Process_-_PII-SSN_Policy), /content/body/div[13]/pre, line 2, column 1



 

  • Was this article helpful?