Social Security Number: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 57: Line 57:
===Employee Information ===
===Employee Information ===
*The Social Security Number of an employee is considered confidential information and should not be used to identify an employee unless legally mandated.
*The Social Security Number of an employee is considered confidential information and should not be used to identify an employee unless legally mandated.
*ITS shall be available to assist in identifying alternatives to use of Social Security Number. Alternatives which should be considered, include but are not limited to:
*ITS shall be available to assist in identifying alternatives to use of Social Security Number. Alternatives which should be considered, include but are not limited to:
:*Personnel (SAP) Number
:*Personnel (SAP) Number
:*Last four digits of Social Security Number   
:*Last four digits of Social Security Number   
Line 68: Line 68:
*The Social Security Number of someone in a category not previously defined is considered confidential information and should not be used to identify an individual unless legally mandated.
*The Social Security Number of someone in a category not previously defined is considered confidential information and should not be used to identify an individual unless legally mandated.
*ITS shall be available to assist in identifying alternatives to use of Social Security Number.
*ITS shall be available to assist in identifying alternatives to use of Social Security Number.
*In the event that the Social Security Number must be maintained, an a form [http://www.unmc.edu/its/security/procedures/ssn-use.docx Request to Use Social Security Number] must be completed and submitted to the Information Security Office who will facilitate approval from the Senior Associate Vice Chancellor for Business and Finance for approval. In cases where the Social Security Number must be stored in a database, the database use must comply with [http://www.unmc.edu/its/security/procedures/database-security.html ITS Database Security Procedures].
*In the event that the Social Security Number must be maintained, a form [http://www.unmc.edu/its/security/procedures/ssn-use.docx Request to Use Social Security Number] must be completed and submitted to the Information Security Office who will facilitate approval from the Senior Associate Vice Chancellor for Business and Finance for approval. In cases where the Social Security Number must be stored in a database, the database use must comply with [http://www.unmc.edu/its/security/procedures/database-security.html ITS Database Security Procedures].
===Approval/Disapproval Process===
===Approval/Disapproval Process===
The Information Security Office will notify unit management and the requestor of the decision to approve/disapprove the request.  
The Information Security Office will notify unit management and the requestor of the decision to approve/disapprove the request.  
Line 76: Line 76:
If the request to use Social Security number is disapproved and the requestor wishes to appeal the decision, the Vice Chancellor for Business and Finance will be asked to review the request and render a final decision.
If the request to use Social Security number is disapproved and the requestor wishes to appeal the decision, the Vice Chancellor for Business and Finance will be asked to review the request and render a final decision.
===Review of Electronic Data storage===
===Review of Electronic Data storage===
Periodically the Information Security Office will generate reports which will identify the storage locations of Social Security Numbers. These reports will be distributed to unit management for review. The intent of the report is to help unit management know where Social Security Numbers are used within their unit.
Periodically the Information Security Office will generate reports which will identify the storage locations of Social Security Numbers. These reports will be distributed to unit management for review. The intent of the report is to help unit management know where Social Security Numbers are used within their unit.
===Record Retention===
===Record Retention===
The Information Security Office will maintain the exception forms. The forms will be reviewed periodically to verify that the exception is still valid.  
The Information Security Office will maintain the exception forms. The forms will be reviewed periodically to verify that the exception is still valid.  
===Definitions===
===Definitions===
'''''Information Security''''' is the ability to control access and protect information from unauthorized alteration, destruction, loss or accidental or intentional disclosure to unauthorized persons.
'''''Information Security''''' is the ability to control access and protect information from unauthorized alteration, destruction, loss or accidental or intentional disclosure to unauthorized persons.