Social Security Number: Difference between revisions

no edit summary
No edit summary
Line 27: Line 27:
Policy No.: '''6085'''<br />
Policy No.: '''6085'''<br />
Effective Date: '''09/22/15'''<br />
Effective Date: '''09/22/15'''<br />
Revised Date: <br />
Revised Date: '''03/30/18 DRAFT''' <br />
Revised Date: <br />
Revised Date: <br />
<br />
<br />
Line 38: Line 38:
UNMC shall not use Social Security Numbers to identify students, employees, research subjects, alumni, donors, potential students, and affiliates outside of those uses specifically required by law, such as financial aid, payroll and benefit functions.
UNMC shall not use Social Security Numbers to identify students, employees, research subjects, alumni, donors, potential students, and affiliates outside of those uses specifically required by law, such as financial aid, payroll and benefit functions.


Social Security Numbers (SSNs) - including any portion of the full nine digits-shall not be electronically collected, transmitted, or stored by members of the workforce unless specifically authorized in writing by authorized individuals as outlined in this policy. Individuals or departments that collect, transmit or store SSNs will take steps necessary to secure this data using best practices identified by the Information Security Office.
Social Security Numbers (SSNs) - including any portion of the full nine digits, shall not be electronically collected, transmitted, or stored by members of the workforce unless specifically authorized in writing by authorized individuals as outlined in this policy. Individuals or departments that collect, transmit or store SSNs will take steps necessary to secure this data using best practices identified by the Information Security Office.


The following individuals are authorized to approve use of Social Security Numbers.
The following individuals are authorized to approve use of Social Security Numbers.
Line 44: Line 44:
*Students - Assistant Vice Chancellor for Academic Affairs/Student Affairs
*Students - Assistant Vice Chancellor for Academic Affairs/Student Affairs
*Research Subjects - Institutional Review Board  
*Research Subjects - Institutional Review Board  
*Other - Senior Associate Vice Chancellor for Business and Finance
*Other - Assistant Vice Chancellor for Business and Finance
*Other - Chief Information Security Officer
===General===
===General===
*UNMC is responsible for safeguarding and protecting Social Security Numbers against loss, tampering, and disclosure. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]).
*UNMC is responsible for safeguarding and protecting Social Security Numbers against loss, tampering and disclosure. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]).
*UNMC shall reasonably mitigate or reduce any harmful effects that may result from privacy breaches involving Social Security Numbers.  
*UNMC shall reasonably mitigate or reduce any harmful effects that may result from privacy breaches involving Social Security Numbers.  
*Workforce members who suspect a Social Security Number violation must report it immediately to their respective manager, the Privacy Office, or the Information Security Office. A full investigation of the suspected violation shall be conducted. Staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 1-866-568-5430. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations.  
*Workforce members who suspect a Social Security Number violation must report it immediately to their respective manager, the Privacy Office, or the Information Security Office. A full investigation of the suspected violation shall be conducted. Staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 1-866-568-5430. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations.  
Line 55: Line 56:
*Information Technology Services (ITS) shall be available to assist in identifying alternatives to use of Social Security Number. Alternatives which should be considered, include but are not limited to:  
*Information Technology Services (ITS) shall be available to assist in identifying alternatives to use of Social Security Number. Alternatives which should be considered, include but are not limited to:  
:*UNMC Student Number
:*UNMC Student Number
*In the event that the Social Security Number of a student must be maintained, a form, [http://app1.unmc.edu/forms/its/ssn_request.cfm Request to Use Social Security Number], must be completed and submitted to the Information Security Office who will facilitate approval from the Assistant Vice Chancellor for Academic Affairs/Student Affairs. If Social Security Number must be used and stored in a database, the use of the student’s Social Security Number must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures].
*In the event that the Social Security Number of a student must be maintained, a form, [http://app1.unmc.edu/forms/its/ssn_request.cfm Request to Use Social Security Number], must be completed and submitted to the Information Security Office which will facilitate approval from the Assistant Vice Chancellor for Academic Affairs/Student Affairs. If Social Security Number must be used and stored in a database, the use of the student’s Social Security Number must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures].


===Employee Information ===
===Employee Information ===
*The Social Security Number of an employee is considered confidential information and should not be used to identify an employee unless legally mandated.
*The Social Security Number of an employee is considered confidential information and should not be used to identify an employee unless legally mandated.
*ITS shall be available to assist in identifying alternatives to use of Social Security Number. Alternatives which should be considered, include but are not limited to:
*The Information Security team shall be available to assist in identifying alternatives to the use of the Social Security Number. Alternatives which should be considered, include but are not limited to:
:*Personnel (SAP) Number
:*Personnel (SAP) Number
*In the event that the Social Security Number of an employee must be maintained, a form, [http://app1.unmc.edu/forms/its/ssn_request.cfm Request to Use Social Security Number], must be completed and submitted to the Information Security Office who will facilitate approval of the Assistant Vice Chancellor for Human Resources for approval. In cases where the employee Social Security Number must be stored in a database, the database must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures].
*In the event that the Social Security Number of an employee must be maintained, a form, [http://app1.unmc.edu/forms/its/ssn_request.cfm Request to Use Social Security Number], must be completed and submitted to the Information Security Office who will facilitate approval of the Assistant Vice Chancellor for Human Resources for approval. In cases where the employee Social Security Number must be stored in a database, the database must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures].
Line 70: Line 71:
===Other===
===Other===
*The Social Security Number of someone in a category not previously defined is considered confidential information and should not be used to identify an individual unless legally mandated.
*The Social Security Number of someone in a category not previously defined is considered confidential information and should not be used to identify an individual unless legally mandated.
*ITS shall be available to assist in identifying alternatives to use of Social Security Number.
*The information Security team shall be available to assist in identifying alternatives to use of Social Security Number.
*In the event that the Social Security Number must be maintained, a form, [http://app1.unmc.edu/forms/its/ssn_request.cfm Request to Use Social Security Number], must be completed and submitted to the Information Security Office who will facilitate approval from the Senior Associate Vice Chancellor for Business and Finance for approval. In cases where the Social Security Number must be stored in a database, the database use must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures].
*In the event that the Social Security Number must be maintained, a form, [http://app1.unmc.edu/forms/its/ssn_request.cfm Request to Use Social Security Number], must be completed and submitted to the Information Security Office which will facilitate approval from the Senior Associate Vice Chancellor for Business and Finance for approval. In cases where the Social Security Number must be stored in a database, the database use must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures].


===Approval/Disapproval Process===
===Approval/Disapproval Process===
The Information Security Office will notify unit management and the requestor of the decision to approve/disapprove the request.  
The Information Security Office will notify unit management and the requestor of the decision to approve/disapprove the request.  


If the request to use Social Security number is approved, the Information Security Office will send the approval document to the unit management and requestor.
If the request to use the Social Security Number is approved, the Information Security Office will send the approval document to the unit management and requestor.


If the request to use Social Security number is disapproved and the requestor wishes to appeal the decision, the Vice Chancellor for Business and Finance will be asked to review the request and render a final decision.
If the request to use the Social Security Number is disapproved and the requestor wishes to appeal the decision, the Vice Chancellor for Business and Finance will be asked to review the request and render a final decision.
===Review of Electronic Data storage===
===Review of Electronic Data storage===
Periodically the Information Security Office will generate reports which will identify the storage locations of Social Security Numbers. These reports will be distributed to unit management for review. The intent of the report is to help unit management know where Social Security Numbers are used within their unit.
Periodically the Information Security Office will generate reports which will identify the storage locations of Social Security Numbers. These reports will be distributed to unit management for review. The intent of the report is to help unit management know where Social Security Numbers are used within their unit.
Line 86: Line 87:
'''''Information Security''''' is the ability to control access and protect information from unauthorized alteration, destruction, loss or accidental or intentional disclosure to unauthorized persons.
'''''Information Security''''' is the ability to control access and protect information from unauthorized alteration, destruction, loss or accidental or intentional disclosure to unauthorized persons.


'''''Workforce''''' means students, employees, the medical staff, volunteers, trainees, and other persons whose conduct, in the performance of work for UNMC is under the direct control of UNMC, whether or not they are paid by UNMC.
'''''Workforce''''' means students, employees, the medical staff, volunteers, trainees, and other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.
==Additional Information==
==Additional Information==
*Contact [mailto:swelna@unmc.edu Associate Director, Compliance, Information Technology Services], 402.559.2545
*Contact [mailto:lbazis@unmc.edu Chief Info Security Officer, IT Information Security], 402.559.2882
*UNMC Policy No. 6045, [http://wiki.unmc.edu/index.php?title=Privacy/Confidentiality Privacy, Confidentiality and Information Security]
*UNMC Policy No. 6045, [http://wiki.unmc.edu/index.php?title=Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information]
*UNMC Policy No. 6051, [http://wiki.unmc.edu/index.php?title=Computer_Use/Electronic_Information Computer Use and Electronic Information Security]
*UNMC Policy No. 6051, [http://wiki.unmc.edu/index.php?title=Computer_Use/Electronic_Information Computer Use and Electronic Information Security]
*UNMC Policy No. 6073, [[Transporting Protected Health Information]]
*UNMC Policy No. 6073, [[Transporting Protected Health Information]]