Handling of SSN and PII information.
Indiana Wesleyan University strives to ensure the proper handling of Social Security Numbers (SSNs) and personally identifiable information (PII) for its employees, students and associated individuals. This is to protect the students, staff and faculty from the risk of identity theft.
The SSN is not to be used except when required/permitted by law. Instances where only the last 4 digits of SSN are stored or transmitted to verify an identity are acceptable. Note: Individuals shall not be required to give their SSN, in writing or verbally. The SSN will be used where necessary for employment and financial aid records. IWU has implemented role-based access control regarding the complete 9 digit SSN numbers. A security group has been created to allow only a selected group to view the complete SSN necessary to complete their jobs. Immediate supervisors can request this access for individuals.
Personally identifieable information is not to be used except when required/permitted by law. Personally identifiable information includes social security numbers, passport number, driver’s license number, taxpayer identification number , dates of birth and place of birth, maiden name or mother’s maiden name, personal financial account numbers, and home addresses of students or individuals. Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g. Retina san, voice signature, facial geometry) are included.
Definition of policy...
This policy will affect all employees
Primarily offices that deal with the entire unredacted SSN number including HR, Financial Aid, Admissions, Registration (both CAS and CAPS)
Chief Information Officer
Chief Financial Officer
21-Mar-2012 - This policy is a draft and is not yet in effect.
The Privacy Act of 1974, 5 U.S.C. § 552a (2000)
Government Accountability Office (GAO) Report 08-343
NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information
It is against policy to....
Post or display the SSN
Require an individual to transmit an SSN unless the connection is secure.
Transmit the SSN in email unless encrypted.
Email SSN to outside parties wihout protecting it.
Permit an unatuorized individual access to SSN data
We advise against:
Collecting, storing or processing SSN information without a justified need
Transmitting unencrypted SSN info over public networks
Retention of this data beyond useful life
SSN elemination is stressed for business processes.
Archived paper records should be destroyed if feasible. If they need to be retained ensure that theya re stored securely.
Storing SSN without encryption