Handbook of Operating Procedures 3-1030

Protecting the Confidentiality of Social Security Numbers

The University of Texas Austin
Executive Sponsor:  VP for Legal Affairs

September 21, 2004

 


 

  1. Purpose

The purpose of this policy is to provide information and rules of conduct for protecting the confidential nature of social security numbers used at or by the University, without creating unreasonable obstacles to the conduct of business at the University. These rules are mandated by UT System Policy UTS165, a document adopted by the Board of Regents that provides guidelines and requirements for protecting the confidentiality of social security numbers at the University and throughout the UT System.

 

  1. Scope

This policy applies to all University employees including part-time, temporary and student workers.

 

  1. Definitions

An employee is a person who has a current, active appointment to work for the University, or is hired by the University pursuant to a flat-rate agreement to perform services for a specific occasion, including student workers and faculty.

 

  1. Rules of Conduct
  1. Employees shall comply with the provisions of UTS165 and related University policies and procedures. An employee who fails to comply with the rules of conduct may be subject to appropriate disciplinary action, including termination in accordance with the University’s policies and procedures.
  1. Employees may not ask for a social security number if it is not necessary and relevant to the purposes of the University and the particular function for which the employee is responsible.
  1. Employees may not disclose social security numbers to unauthorized persons or entities.
  1. Employees who are responsible for the maintenance of records that contain social security numbers shall observe all administrative, technical and physical safeguards established by the University in order to protect the confidentiality of such records.
  1. Social security numbers may not be shared with third parties except as required by law, with the consent of the individual, or when a third party is an agent or contractor for the University. As of January 30, 2005, when social security numbers are shared with a third party, a written agreement should be entered into between the University and the third party. The written agreement should:
  1. prohibit the third party from disclosing social security numbers, except as required by law
  1. require the third party to use adequate administrative, physical and technical safeguards to protect the confidentiality of records containing social security numbers.

In addition, the University is required to hold the third party accountable for compliance with the written agreement through regular monitoring.

 

  1. Employees shall promptly report to their supervisors any inappropriate disclosure of social security numbers; the supervisor is responsible for reporting the disclosure to the University’s SSN Coordinator. An employee may make a report anonymously, in accordance with the University’s compliance program, if he or she so chooses. Retaliation against an employee who, in good faith, reports a possibly inappropriate disclosure of social security numbers is prohibited.
  1. As of March 1, 2005, employees shall not send social security numbers or other confidential information over the Internet or by e-mail unless the connection is secure or the confidential information is encrypted or otherwise secured. Records containing social security numbers or other confidential information should not be stored on University or personal computers or other electronic devices that are not secured against unauthorized access.
  1. Student grades shall not be publicly posted or displayed in a manner in which all or any portion of the social security number identifies the student associated with the grade. In addition, the social security number shall not be displayed on documents that can be widely seen by the general public (such as rosters and bulletin board postings) unless required by law.
  1. Records or media (such as disks, tapes, hard drives) that contain social security numbers shall be discarded in a way that protects the confidentiality of the social security numbers and in accordance with the University’s records retention schedule.
  1. Interpretation

The SSN Coordinator at the University officially interprets the rules of conduct and is responsible for revising them as necessary.

 

For Assistance: Questions regarding the SSN Rules of Conduct should be directed to Jeffery L. Graves, SSN Coordinator, or to the University Compliance Services website at http://www.utexas.edu/compliance/.

 

Source: UT System Policy UTS165

 

University Compliance Services Training Module: CW 103

 

University Compliance Services Training Module: CW 504

 

Previously HOP 4.C.1