1.Purpose
The purpose of this policy is to help safeguard the Social Security numbers (“SSNs”) of UNCG students, employees and the public, while providing guidance on how Social Security numbers may be obtained, used and disclosed. This policy is designed to facilitate University compliance with N.C. Gen. Statutes 132-1.10 (lawful use of SSNs) and the federal statutes cited herein.
2.Scope
This policy applies to all University employees, contractors, subcontractors and vendors who, in the course of their employment or duties on behalf of the University, have access to SSNs.
3.Policy
3.1Disclosure of SSNs Within the University
LAWFULLY OBTAINED Social Security Numbers (SSNs) may be exchanged within the University among its various departments and divisions where necessary for the receiving department/division to perform its governmental duties and responsibilities, or as otherwise allowed or required by law. Note: Student SSNs are considered “education records” under the Family Educational Rights and Privacy Act (FERPA), and may be disclosed within the University only to “school officials, including teachers, within the University, whom the University has determined have legitimate educational interests.” See University FERPA Policy at http://sa.uncg.edu/handbook/wp-content/uploads/ferpa.pdf.
3.2Security Measures
University departments that receive SSNs must utilize security measures to protect the information, including those found in all applicable University policies and procedures. Proper physical security measures include, but are not limited to, limited access to SSNs, and locked filing cabinets and offices.
With regard to electronic security measures, SSNs are considered “Restricted Data” pursuant to the UNCG Data Classification Policy at https://policy.uncg.edu/university-policies/data/. Electronic storage and transmission of SSNs must be accomplished in compliance with the UNCG Information Security Policy at https://policy.uncg.edu/university-policies/information_security/. Unless required by law, a SSN shall not be transmitted over the Internet, except where the connection is secure or the SSN is encrypted.
3.3Sending SSNs by Mail
SSNs may not appear on any materials that are mailed, unless state or federal law or regulations allow or require that the SSN appear on the document to be mailed. A SSN that is permitted to be mailed may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.
3.4Federal Privacy Act
Pursuant to the Federal Privacy Act, UNCG shall not deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his/her SSN, except refusal to disclose after a request pursuant to the requirements of a statute.
3.5Requiring Individuals to use SSNs to Access Services
SSNs shall not be intentionally printed or imbedded on any card required for an individual to access University services. Unless the connection is secure or the SSN is encrypted, an individual shall not be required to transmit his/her SSN over the Internet. An individual shall not be required to use his/her SSN to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site.
3.6How May UNCG Disclose SSNs to Persons or Entities outside UNCG?
UNCG may disclose “LAWFULLY OBTAINED” SSNs to persons or entities outside the University when allowed or required by law. The examples below are not an exhaustive list, and the persons making disclosures should refer to the University policies, statutes and regulations that apply to their particular department or division. Counsel can be consulted if questions about disclosure remain.
3.6.1Disclosure of SSNs to other Governmental Entities.
LAWFULLY OBTAINED SSNs may be disclosed by UNCG to another governmental entity (State or Federal) where disclosure is necessary for the receiving governmental entity to perform its governmental duties and responsibilities. The receiving governmental entity shall maintain the confidential nature of the SSNs.
Specific examples (not an exhaustive list) of when UNCG may disclose LAWFULLY OBTAINED SSNs to other governmental entities are listed in the UNCG Statement of Purposes for Which Social Security Numbers are Collected and Used at http://provost.uncg.edu/Academic/EPA_Personnel/Docs/UNCG_Statement_of_Purposes.pdf.
3.6.2Disclosure of SSNs to Contractors and Vendors.
UNCG may disclose LAWFULLY OBTAINED SSNs to its contractors or vendors where disclosure is necessary for UNCG to perform its bona fide governmental duties and responsibilities. Such vendors or contractors shall maintain the confidentiality of the information. If any division or department of UNCG is contemplating entering into any contract or agreement where there will be disclosure of SSNs to any vendor or contractor, University Counsel shall be consulted prior to entering into such a contract. In addition, disclosure of Student SSNs to contractors or vendors is subject to FERPA. See section IV.B.2 of University FERPA Policy on the Student Policy Handbook web page at http://sa.uncg.edu/handbook/wp-content/uploads/ferpa.pdf.
3.6.3Disclosure as required by Court order, Warrant or Subpoena.
UNCG may release SSNs in response to a court order, warrant or subpoena. University Counsel should be immediately consulted upon receipt of such documents.
3.6.4Disclosure for Public Health Purposes.
UNCG may release SSNs to public health officials where necessary to identify, investigate or prevent health risks.
3.7How may UNCG “LAWFULLY OBTAIN” SSNs from Persons or Entities Outside UNCG?
UNCG may “LAWFULLY OBTAIN” SSNs from persons or entities outside the University when allowed or required by law. The examples below are not an exhaustive list, and the UNCG employees obtaining SSNs should refer to University Policies and the statutes and regulations that apply to their particular department or division. Counsel can be consulted if questions remain. After UNCG receives the SSNs from persons or entities outside the University, it shall observe the security measures set forth in the section Security Measures above.
3.7.1Receipt of SSNs from OTHER GOVERNMENTAL Entities.
SSNs may be received by UNCG from other governmental entities (State or Federal) where disclosure is necessary for UNCG to perform its governmental duties and responsibilities.
3.7.2Obtaining SSNs directly from INDIVIDUALS.
If SSNs cannot be obtained from within the University or from another governmental entity and UNCG must instead obtain the SSN directly from the INDIVIDUAL, then UNCG must be “authorized by law” to do so, or the collection of the SSN must be imperative for UNCG to “perform its duties and responsibilities as prescribed by law.”
Some examples (not an exhaustive list) of when UNCG is “authorized by law” to obtain SSNs from Individuals are listed in the UNCG Statement of Purposes for Which Social Security Numbers are Collected and Used at http://provost.uncg.edu/Academic/EPA_Personnel/Docs/UNCG_Statement_of_Purposes.pdf.
3.7.3Additional Requirements Imposed by North Carolina Law when Collecting a SSN from an Individual.
In addition to being “authorized by law” to collect the SSN, the department or division of UNCG that collects the SSN from an individual must comply with the following additional provisions:
- UNCG must maintain the SSN in its records such that it is readily redacted if the records are subject to a public records request; and
- UNCG must be ready to provide the individual, upon request, the reason or reasons for which the SSN is being requested; and
- UNCG may use the SSN only for the stated purposes: and
- UNCG shall not intentionally communicate or otherwise make SSNs available to the general public.
3.8The Family Educational Rights and Privacy Act (FERPA)
Student SSNs maintained by UNCG are Education Records pursuant to FERPA. As such, student SSNs and may not be disclosed except as permitted by FERPA. Generally, express written permission from the student is required for disclosure of this information to a third party. See the University FERPA policy at http://sa.uncg.edu/handbook/wp-content/uploads/ferpa.pdf and contact University Counsel with questions.
3.9HIPAA Restrictions
SSNs are considered “protected health information” (PHI) under privacy rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As such, the use and disclosure of SSNs are subject to other restrictions under those rules and the UNCG policies that govern the use and disclosure of SSNs. Please contact the UNCG HIPAA Privacy Officer and the University HIPAA Policy at https://policy.uncg.edu/university-policies/HIPAA/ with any questions related to the proper use and disclosure of SSNs under the HIPAA Privacy rules.
4.Enforcement
Any violation of this policy by faculty and staff is “misconduct” under EPA policies (faculty and EPA non-faculty) and “unacceptable personal conduct” under SPA policies, including any appeal rights stated therein. Violations of law may also be referred for criminal or civil prosecution.
5.Review
The Administrative Systems Committee will periodically review this policy as necessary.
6.Links to Related University Policies
7.Contact
Comments or questions? Email the Policy Administrator.
Revisions
| Revision Date | Revision Summary |
|---|---|
| 07/06/2022 | Conversion from old policy website to new formatting; confirmed with Liaison that no immediate review was required. |