IT Policies
white space

 



Requesting Access to InfoSource Data Containing Social Security Numbers: Policies and Procedures
(Updated 04.28.06)

Introduction

Social Security Numbers are highly confidential and legally-protected data.  The Federal Privacy Act of 1974, the Family Educational Rights and Privacy Act (FERPA) and NY State statutes regulate the collection, use, and dissemination of social security numbers. UB is committed to protecting the privacy and legal rights of its community members and to educating the university community regarding the confidential nature of SSNs.  As a university we must work to reduce or eliminate the use of SSN's for identification purposes and to ensure that SSN's are secured in all university databases and applications.  UB is required to notify individuals if there is a security breach involving their SSN's ( NY State Information Security Breach and Notification Act) and to report security incidents to SUNY ( NY State Cyber Incident Reporting Procedure).

Policy
Access to InfoSource data containing Social Security Numbers (SSN) is limited to those with a legal or business need in the performance of their job responsibilities and will be granted by data trustees where appropriate. This access may not be delegated to or shared with anyone.  Data trustees will revoke access to InfoSource data SSN display when employees are terminated, change job responsibilities, no longer need this access in their new position, or if the employee violates university standards for use and securing of private information such as SSNs. (See Standards for Securing Access to Private and Regulated Information .

Procedures
Requesting Access to InfoSource Data Displaying SSN
Data trustees grant and revoke access to SSNs.  To request access, complete the following steps
  1. Print and complete the Access to SSN Data in UB InfoSource form. (Please contact the appropriate Data Trustee for the URL for the form.) The form contains an area where you are required to cite the legal or business purpose, that is, the legal statute that requires you to view/use the SSN and/or how access to the SSN in InfoSource is needed to perform your job.  You also will need to describe how the SSN will be used in your unit.
  2. Have the form signed by your immediate supervisor and the head of your area (Vice President, Dean, Vice Provost) or his/her designee. You will also be required to sign the form as the requester.
  3. Send the form to the appropriate data trustee for review (Data Trustees List). The InfoSource/SSN Access Committee composed of Data Trustees, the campus Information Security Officer, and a representative from Administrative Computing Services, will review the request and you will be informed of the decision to grant or deny access by the Data Trustee.

What is a Valid Request?
Please note that you will need to supply the legal or business purpose for access to InfoSource data containing SSNs.  Although you may need to collect and use SSNs in your work, you may not need to view SSNs in InfoSource data.  For example, BARS, not InfoSource, is the database of record for HR and payroll data. In most cases, person number can be used in lieu of Social Security Number.

The following are examples of business areas where the University is required to collect and share SSNs. 
  • Employee Processing
    • Tax authority forms, e.g., IRS Form W-4
    • State agency reporting, e.g., new hire reporting
    • Federal agency requirements, e.g., INS Form I-9
    • Retirement plan administration
  • Student Services
    • Student Account Statements (IRS regulations require the University to request a SSN as a Taxpayer ID number for use in tax reporting.)
    • Free Federal Applications for Student Aid (FAFSA) and student loan programs
    • Tax authority forms, e.g., scholarship reporting
    • Collections activity, e.g., federal loan collections
    • INS regulations for international students (SSN must be provided on I-9s in accordance with immigration law)
    • Certification exams if mandated by the certifying agency
  • Other (Vendors, Contractors, Agencies)
    • Federal agency reporting, e.g, federal grants
    • State agency reporting, e.g., state vendor payment control
    • Payment for personal or professional services
    • Planned giving donors

Process for Review
After receiving the completed and signed form, the Data Trustee will review your request and notify you, your supervisor, and the head of your area of his/her decision as soon as possible.  If you are granted access to InfoSource data containing SSNs, you will also be sent guidelines for securing sensitive, private information, such as SSN data. Data Trustees will have access to a report of all employees authorized to access SSNs, and will monitor access and conduct an annual review of the continued need for access.

Standards for Securing Private and Regulated Institutional Information
University at Buffalo has legal and ethical obligations to protect the privacy and confidentiality of private information such as the SSN and credit/debit card numbers.  All those with access to protected private information such as the SSN are required to review and comply with the University University Standards for Securing Private and Regulated Information.







   white space
  



Related Links

» NY State Information Security Breach and Notification Act

» Federal Privacy Act of 1974

» Family Educational Rights and Privacy Act: FERPA

» NY State Law: Chapter 16, Article 1, Title 1, Section 2b

» Social Security Number Policy: UB's General Policy on the Collection and Use of Social Security Numbers

» UB Standards for Securing Private and Regulated Institutional Information Such as SSNs

» UB Policy on Securing Network Connected Devices

» UB IT Policies Web Site


Copyright 2007, University at Buffalo, All rights reserved.