Brown University is dedicated to maintaining the privacy and proper handling of the Social Security Numbers (SSNs) of its students, employees, and individuals associated with the University. The primary purpose of this Social Security Number requirements document is to further define what is necessary for social security number protection, under the Policy on the Handling of Brown Restricted Information, and provide that the necessary procedures and awareness exist so that the University may comply with all applicable laws and regulations. It is the goal of this policy that the reliance on SSNs will be reduced through updates to systems, providing alternative methods of record keeping, and awareness of the proper handling and risks of SSN use.
- Compliance with any federal, state, and/or local laws and regulatory mandates
- Broad awareness of the confidential nature of the SSN
- Reduced use and reliance upon the SSN for identification purposes
- Increased emphasis on secure use, transmission, and storage of the SSN throughout the Brown systems
- A consistent policy toward and treatment of SSNs throughout the University
- Increased confidence by students and employees that SSNs are handled in a confidential manner
These requirements apply to all individuals performing a function for the University with social security numbers, in any format. Individuals covered by the policy include (but are not limited to) Brown faculty and visiting faculty, staff, students, alumni, guests or agents of the administration, and external individuals and organizations accessing network services via Brown's computing facilities.
These requirements apply to technology administered in individual departments, the resources administered by central administrative departments (such as the University Libraries and Computing and Information Services), personally owned computers and devices connected by wire or wireless to the campus network, and to off-campus computers that connect remotely to the University's network services.
4.0 Social Security Number Requirements
It is Brown University's intent to protect the SSN of its students, staff, and faculty to minimize the growing risks of identity theft, and comply with all applicable laws and regulations.
Accordingly, in the absence of a determination of institutional need, the SSN may not be used as an identifier or used as a database key in any electronic information system. The SSN may be collected and used when necessary for employment records, financial aid records, and a limited number of other business and governmental transactions, as required by law and acknowledged by the DPRM Steering Committee.
The following are Brown University policy regulations that apply to all of the Brown community:
- All new systems purchased or developed by Brown will not use SSN as identifiers except where such use is specifically permitted or required under this policy. Such systems should not visually display the SSN on any system output, including monitors and printed forms, unless required by law or required by Brown University as needed in execution of its duties.
- No new system or technology where the SSN is a consideration, will be developed or purchased by Brown unless it is compliant with this policy or approved by the DPRM Steering Committee as an exception.
- All University forms and documents that have an approved need to collect SSNs will use the appropriate language to indicate whether request is voluntary or mandatory.
- For new and existing business needs unable to comply with these policy requirements, the formal SSN Policy Exception Form must be approved by the Chief Information Security Officer at Brown, and the Data, Privacy and Record Management (DPRM) Steering Committee.
An employee, student, volunteer, representative, contractor, or any other agent of Brown University who has substantially breached the confidentiality of SSNs may be subject to disciplinary action or sanctions up to and including discharge or dismissal, in accordance with University policy and procedures.
Departments currently using, or wishing to collect, store, or use SSNs in any way must:
- Show institutional need,
- Receive approval from the DPRM Steering Committee, and
- Permit audits (including server and application security) at a minimum of annually to ensure safe SSN handling.
The detailed process is:
- The department requests the SSN Policy Exception Form from the Chief Information Security Officer.
- The department completes the form and sends it back to the Chief Information Security Officer.
- Chief Information Security Officer reviews the form and sends a summary or proposal to the DPRM Steering Committee.
- If approved by the Committee, a signed approval document is provided to the requesting department.
- Internal Audit is notified that the department has Brown approval to collect, store, or use SSNs, and should be audited annually.
Requirements and Conditions of SSN Usage:
- Grades and other pieces of personal information will not be publicly posted or displayed in a manner where either the complete or partial SSN are used to identify an individual.
- In all new systems that require SSNs, they will be transmitted electronically only through encrypted mechanisms.
- Paper and electronic documents containing SSNs will be disposed of in a secure fashion in accordance with University data-handling requirements, as defined by Brown's designated data classifications (document in process) and the authorized Data/Records Owners.
- SSNs will be released by the University to external entities only:
- As allowed or required by law; OR
- When permission is granted by the individual; OR
- When the external entity is acting as the University's contractor or agent and adequate security measures and agreements are in place to prevent unauthorized dissemination to third parties.
7.0 Phased Compliance Strategy
Brown University will utilize a phased compliance strategy for its existing systems. All Departments and Business Units are strongly encouraged to complete the required system and process modifications to comply with this policy as soon as reasonably possible. Given the scope of process, system, and data changes required, compliance plans and formal projects may be utilized to ensure the proper focus and tracking in this area.
8.0 Related Policies and Documents
Questions or comments to: ITPolicy@brown.edu
Effective Date: April 2, 2012