Data & Assets
Social Security Number Use
The University of Missouri collects and maintains confidential information including Social Security numbers (SSNs). In order to maintain the privacy and security of this information, the following guidelines are applicable to all business units and must be followed whenever SSNs are used including, but not limited to, in University computer applications, databases, paper files and documents, electronic files, and data transmissions.
The objectives of this element are to:
- Broaden awareness of the confidential nature of the SSN;
- Develop a consistent policy for treatment of SSNs throughout the University;
- Increase emphasis on secure use, transmission and storage of SSNs throughout the University;
- Identify responsible parties related to ensuring SSNs are used securely;
- Comply with applicable federal, state and local rules and regulations pertaining to the use of SSNs.
altID: Alternate identifier assigned to replace the SSN for use in University business processes.
DCS: Data Classification System; a University Information Security program element that defines the security measures that must be taken for different types of data.
Employee: A person who has a current, active appointment to work for the University, or is hired by the University to perform services for a specific occasion, including consultants, contractors, faculty, staff and student workers.
Information Security Officer (ISO): An information security professional responsible for enforcing information security policies and programs for their business unit (campus).
Local Use: Any use of SSNs within a system, file, spreadsheet, database or other storage location within an individual University department and outside of the secure system managed by the Division of IT.
SSN: A nine-digit number issued to U.S. citizens, permanent residents, and temporary (working) residents under section 205(c)(2) of the Social Security Act, codified as 42 U.S.C. § 405(c)(2). The number is issued to an individual by the Social Security Administration, an independent agency of the United States government, primarily for taxation purposes.
- SSNs are classified as level 4 data within the University's Data Classification System (DCS). Any collection, disposal, storage, transmittal or use of SSNs (whether electronically or in paper form) must meet the security requirements detailed in the DCS program element.
- SSNs will only be collected, stored, displayed, transmitted or used when their use has been properly requested and approved. The requestor along with the dean, director or department chair, have responsibility for ensuring SSNs are managed in a secure manner within their department.
- Requests to use SSNs must be documented utilizing the Request For Authorization To Use SSN Form. This applies to existing and new uses of SSN. The completed form must be reviewed and approved by all of the following:
- the appropriate Dean, Director or Department Chair;
- the business unit ISO;
- the business unit Chief Information Officer (CIO);
- with final approval by the VP for Information Technology (VP IT) or UM Chief Information Security Officer (CISO).
Requests to transmit multiple SSNs to a non-UM entity must be made to the appropriate business unit ISO. More information about that process can be found on the Division of IT's SSN Vault Service page.
- Forms (paper, electronic, etc.) that collect SSNs must include disclosure statements regarding the reason for which the SSN is being collected and how it will be used.
- Electronic storage of SSNs must be in one centralized, highly secured database (the SSN vault) managed by the Division of IT. Each SSN collected by the University residing in the database will be assigned an altID. SSNs will not be stored in local application databases, on personal computers or other personal storage devices unless explicitly approved for local use.
- Transmission and transport of documents and files (electronic or in paper form) containing SSN must follow the requirements outlined in the Standard for Transmission/Transfer of DCL3/DCL4 Data.
- SSNs will be released by the University to external entities only:
- as required for educational certifications by state or recognized boards; or
- when permission is granted by the individual; or
- when the external entity is acting as the University's contractor and adequate security measures and agreements are in place to prohibit unauthorized dissemination; or
- when the General Counsel's Office has approved the release; or
- as otherwise allowed or required by law.
- Employees, as defined above, and volunteers who will have access to SSNs:
- must sign a confidentiality agreement;
- shall not use or disclose SSNs other than as required to perform their legitimate duties;
- must promptly report any unauthorized disclosure of SSNs to their supervisor and ultimately to the appropriate ISO.
- An employee, student, or any associate of the University who disregards policies and/or standard security practices or who knowingly breaches the confidentiality of another's SSN is subject to disciplinary and/or legal action.
- If any exception to these requirements is deemed necessary, it will be identified at the time that a request is submitted and reviewed. The exception will be fully documented as part of that process and will include specific information security requirements that will be imposed. Completed forms and exception documentation will be kept on file by the appropriate business unit ISO.
Approved March 24, 2010