Administrative Procedures Handbook

Social Security Number Usage and Protection Procedure

In order to protect individual privacy and identity, Western Illinois University adheres to section 10 of the Identity Protection Act. Therefore, social security numbers must not be:

  • Publicly posted or publicly displayed;
  • Used as the primary account number or identifier for an individual, except where legally mandated or required;
  • Visibly printed on identification cards or badges;
  • Printed on materials that are mailed to individuals through the U.S. Postal Service, private mail services, electronic mail, or any similar method of delivery, unless State or federal law requires it;
  • Required to access online University services;
  • Encoded, embedded or printed using bar codes, chips, magnetic strip, RFID or other technologies;
  • Used, transmitted, or stored on records or record systems that are not encrypted and secure. For example, certain communication channels such as email, wireless, IM, chat, P2P, FTP, telnet, bulletin boards, SMS messaging, Microsoft Word/Excel/Access and web 2.0 technologies (blogs, tweeter, Facebook, etc.) are not acceptable choices for the sending, receiving or storage of SSNs; and
  • Used for any purpose other than the purpose for which it was authorized and collected.

Furthermore, the University will:

  • Ensure, to the extent practicable, the confidentiality of social security numbers. Social security numbers are considered sensitive data elements and will be managed and protected accordingly;
  • Not unlawfully disclose an individual’s social security number;
  • Strictly limit access to records and record systems containing social security numbers to those who have a business related reason to know this information. Requiring areas to assess, document and report to their VP area, annually or upon significant change, their business need for social security numbers. Annual assessment must include a statement of purpose or purposes for the collection and usage of social security numbers;
  • Direct areas which request a SSN (verbally or on a form) to inform individuals of the following:
    • Whether the disclosure is mandatory or voluntary;
    • By what statutory or other authority the SSN is solicited;
    • What uses will be made of the SSN and by whom;
    • How long a SSN will be retained; and
    • How a SSN will be destroyed or protected
  • Train users and areas to protect the confidentiality of social security numbers;
  • Redact social security numbers from the information or documents before allowing the public inspection or copying of the information or document;
  • Dispose of records containing social security numbers in a responsible manner that minimizes risk that the social security numbers can be accessed inappropriately; and
  • Ensure that obsolete computers and electronic media (anything that can store SSNs such as tapes, CDs, DVD, thumb drives, diskettes, iPods, cell phones, smart phones, PDAs, printers, etc.) are disposed of properly.