Processes for New or Changing How Social Security Numbers Are Used
Social Security Numbers (SSN) are a special kind of information that needs specific checks so that you can use them in a system at the University. The Data Governance Oversight Group (DGOG) will take a close look at how SSN is used, why, and whether the University can justify that use. The following scenarios require a review.
Whenever you plan to use SSN for the first time, you will need to bring some information to DGOG for review. This includes:
- entering the SSN in a new application or service
- creating a new form to collect SSN
- sending SSN to a different third-party organization
- any new use of SSN
Change of Process
If you are currently using SSN at the University, but the application, storage, any third-party vendor, secondary use, or other important element of the use is changing, that will need to come for a new review.
Change of Access Category
If you need to give a new category of people access to SSN, you need to bring the request to DGOG for review. If you have an existing approved process for SSN use, DGOG does not need to review it every time a new person needs to follow the process. For example, a new HR Officer is hired and is onboarding a new employee. The HR Officer is in an existing category planned for and performing the approved process for SSN use. The normal access control method is followed. However, if you suddenly need to give a whole new category of people SSN access for an existing process, adding business officers for example, then you need to bring this request to DGOG for review.
Change of Use
If you have a vendor of specific items or an application that has already been Risk Assessed and reviewed for SSN use, the application itself doesn’t need a new review, but if it’s being used in a different way or a new group will use it with SSN, that group and project will need a review.
To perform a review, the DGOG will ask questions like the following. You can prepare for the review by knowing the answers. Some of this may be developed in the (also required) Information Security Risk Assessment if it’s already complete. But that process and the DGOG review can happen in parallel. You may already have other reviews that would contribute to this one. DGOG will generally not walk the same ground as other authorities and will take their work to abbreviate what’s needed.
1. Purpose/Type of use – a good description of why SSN are needed, how SSN would be used and what the underlying purpose relates to, for example: business, education, clinical research, or other purpose; also ask about whether other identifiable data will be collected and stored
2. New request or a modification to a prior approved use. If this is a modification to a prior approved use, please explain how this is different (e.g., scope) and provide a copy of the underlying approval.
3. Full or partial SSN – add any justification that might not be obvious for using SSN rather than something else or full rather than partial. *Requester needs to make the case why other identifiers would not be sufficient.
4. Copy of the Security Risk assessment, if applicable.
5. Context – include unit and responsible individual(s), duration of use one-time/ongoing/duration, other background. *Provide name of the “Business Owner” and “Application/IT Owner” who will be supporting the transmission/storage as applicable.
6. Transmission/Storage—where will SSN be housed (e.g., specific server or service)? How will SSN be transmitted/processed? Name/contact information for IT support. (Security Risk Assessment may include some or all of this information.)
7. Access – List of any/all users who will have access to SSN, specific users or role/category of users as applicable. If access role, describe criteria for assigning it.
8. Third party – Will disclosure to/access by any external third party? If disclosure/access, provide copy of underlying services agreement(s)
9. Record Retention – What is the record retention schedule that will be used and followed? (If ours, what schedule item(s) apply to the data?) What is the process for deleting/removing the information once it is no longer needed for the original purpose?
10. IRBIS – If related to research project, provide IRBIS #