!

Social Security Numbers

Overview

The University of Pittsburgh is committed to limiting its use of Social Security numbers (SSNs) and maintaining the confidentiality of those numbers that it does collect. To that end, the University has developed a comprehensive policy to control the collection, management, and display of SSNs, and to limit their use as an identification number.

SSNs may only be requested when clearly justified, such as when required by law or for business purposes with certain third party providers. The collection of SSNs must be accompanied by an appropriate disclosure of its use. Online and offline computer systems that maintain SSN data must have adequate security as certified by CSSD to protect its confidentiality and integrity. Please refer to the specific actions below to ensure compliance with this policy.

Policy Summary

Collecting SSNs

SSNs may be collected and recorded when needed by federal or state governmental agencies or by outside third parties. The collection of SSNs by any University unit must receive prior approval from the University's Privacy Officer.

Disclosure

Units collecting SSNs must accompany the collection with a disclosure statement as to the purpose of the collection.

Maintaining SSNs

All records containing SSNs, whether computerized or paper, should be considered confidential information and maintained with appropriate management processes and security controls to protect the confidentiality and integrity of the information.

Data Mining

SSNs are considered to be confidential information and may not be used for purposes of data mining.

Displaying SSNs

If it is essential that an individual SSN be displayed (e.g., University pay stubs), all but the last four digits of the SSN must be masked.

Emailing SSNs

SSNs may not be included in emails, either as direct text or in an attachment.

Transferring SSNs

SSN data moved from one computer to another over a network interface must be transferred using encryption controls such as crypto routers and Secure FTP to protect its integrity and confidentiality. Data transfer methods using clear text, such as ftp, or ASCII files, are inherently insecure network interfaces and may not be used.

SSNs on Workstation and Local Databases

Local departmental databases or spreadsheets containing SSNs that are available through local servers or PCs are not permitted.

Third Parties

Third parties to whom SSNs are provided by the University must enter in a contractual agreement with the University to ensure that appropriate controls are in place to prevent their unauthorized release.