The University collects the Social Security numbers of individuals in certain circumstances in order to comply with applicable law – such as the Internal Revenue Code or federal financial aid regulations – or otherwise to meet the legitimate operational needs of the University.
Where the University collects individuals’ Social Security numbers, it will take measures to protect the confidentiality of Social Security numbers and to safeguard against the unauthorized or illegal release of those numbers. Such measures will include:
Maintaining University records containing Social Security numbers in a secure manner. Paper and other physical copies of such records shall be kept in a secure location. Electronic copies of such records shall be kept in a secure computer file requiring password-protected access and then only if encryption-protected. Electronic copies of records containing Social Security numbers shall not be stored on portable electronic devices except when reasonably necessary to the operations of the University and approved by a University officer, and then only if encryption-protected.
Limiting access to records containing Social Security numbers to those University employees and third parties acting on the University’s behalf who have a legitimate operational purpose of the University to access such records. Any such third parties who have been given access to University records with Social Security numbers shall be required to use the records solely for the legitimate operational purposes of the University and solely in a manner consistent with this policy, except as otherwise required by law.
Requiring all persons with access to records with Social Security numbers to maintain the confidentiality of those records and not to release those Social Security numbers except to persons who have a legitimate University operational purpose to access the records or except as required by law, such as in response to a validly issued subpoena.
Destroying records containing Social Security numbers in a manner which protects against unauthorized access. Paper and other physical copies of Confidential Personal Information shall be destroyed by shredding or comparable method. Electronic copies of Confidential Personal Information shall be destroyed after consultation with Information Technology Services by a method which protects against reasonable risks of unauthorized recovery or use, such as by degaussing magnetic media stored on devices or file wiping software.
Taking appropriate personnel action against persons who intentionally or with gross negligence violate this policy, up to and including termination from employment.
Note: This policy shall be publicly published or displayed by appropriate means, such as on the University’s official web site.