Social Security Number Appendix II

Overview

This document describes NSU’s policy for the handling Social Security Numbers stored, processed, or transmitted in electronically. Examples of these include: enterprise databases, small databases such as MS Access, Web pages, e-mail, spreadsheets, and tables or lists in word processing documents.

Policy Statement

It is our policy not to collect Social Security Numbers (except as otherwise required by law), to use them as an identifier in order to provide services, or to transmit them electronically in an unsecured manner.

Procedure

  • Electronic records containing SSNs may be stored only on University-owned electronic devices, and such devices must be secured against unauthorized access. Computer systems requiring the storage of SSNs should store them in a separate – if possible encrypted and password protected – data files or data sets.
  • Persons with access to electronic systems containing SSNs must take reasonable care to minimize the time that computer screens display SSNs and to shield computer screens displaying SSNs from those without a legitimate work-related reason to access the SSNs. Computer screens displaying SSNs should never be left unattended.
  • Information containing SSNs, or any part thereof (e.g., the last four digits of the SSN), may not be published on any University web site.
  • Employees may not share passwords to computer systems that provide access to screens displaying SSNs.
  • No University employee may require individuals to use SSNs as passwords, codes, or identifiers for access to Internet web sites or other services.
  • When computers are sent to surplus or transferred to another department, data containing SSNs must be destroyed.
  • Users who borrow a University laptop computer for temporary use should ensure that any confidential information that they may have stored on the computer’s hard drive in the course of such temporary use is removed before returning the computer to the University.
  • No University employee may require individuals to send their SSNs over the Internet, by email, or instant messaging for a University-related purpose, unless the connection is secure or the SSN is encrypted.

Updated July 2009

<back to University Policies