banner image
More

SSN Policy

PAU SOCIAL SECURITY NUMBER (SSN) USAGE POLICY

Audience:

All Palo Alto University faculty, staff, and students. All employees, both permanent and temporary. All contractors, vendors, and any others entrusted with SSN information.

Definition:

It is Palo Alto University’s intent to protect the personal information of its students, staff, faculty, and other individuals associated with the University from unauthorized access or disclosure, and possible misuse or abuse. This policy is designed to establish awareness and provide guidance on the proper handling of Social Security Number (SSN) information maintained by or on behalf of Palo Alto University.

Policy Statement:

Social Security Numbers may not be captured, retained, communicated, transmitted, displayed, or printed in whole or in part, except where required or permitted by law, and in accordance with the standards outlined in this policy.

Scope

The policy applies to the SSN whether maintained, used or displayed wholly or in part, and in any data format, including but not limited to oral or written words, screen display, electronic transmission, stored media, printed material, facsimile, or another medium as determined.

Policy Owner

Compliance Committee (compliance@paloaltou.edu)

Standards

  1. Palo Alto University does not permit the use of a SSN as the primary identifier for any person or entity in any system, except where the SSN is required or permitted by law, and permitted by University policy.
  2. Where permitted by law and University policy, the SSN may be stored as a confidential attribute associated with an individual or may be used as an optional key to identify individuals for whom a primary identifier is not known.
  3. Individuals shall not be required to provide their Social Security Number, verbally or in writing, at any point of service, nor shall they be denied access to those services should they refuse to provide an SSN, except where the collection of SSN is required by law or otherwise permitted by University policy. Individuals may volunteer their Social Security
  4. Number if they wish, as an alternate means for locating a record.
  5. Except where the SSN is required by law, Jenzabar ID replaces the use of the SSN and will be used in all future electronic and paper data systems and processes to identify, track, and service individuals associated with the University. The University ID will be permanently and uniquely associated with the individual to whom it is originally assigned.
  6. All newly developed or acquired application software will not store SSN as a data element until a business requirement is submitted and approved by the Data Steward and Compliance Committee.
  7. Servers housing databases or records containing SSNs should be of single purpose, encrypted while at rest and in transit, with access restricted to system administrators, protected by an approved firewall appliance, and should not be used by individuals to access the Internet or access e-mail.
  8. Where possible, all records containing an SSN should be stored on network drives with access limited to those individuals or entities that require access to perform a legitimate University job function. Individual workstations, laptops and other personal computers should not be used to store records containing SSNs. By default, all PAU issued laptops are encrypted to ensure data is protected.
  9. All removable or transportable media (e.g., paper forms, reports, cassettes, CDs, USB drives, etc.) containing SSNs must be secured when not in use. Reasonable security measures depend on the circumstances but may include locked file rooms, desks, and cabinets.
  10. Subject to applicable document retention policies or unless required by law, when no longer required, paper documents and electronic media containing SSNs will be destroyed or disposed of using methods designed to prevent subsequent use or recovery of information.
  11. SSNs will be released to entities outside the University only where permitted or required by law, or with the express written permission of the individual or entity, or where approved by General Counsel.
  12. The University will limit access to records containing SSNs to those individuals requiring access as determined by job function. Individuals permitted access to SSNs will be instructed on the appropriate handling and protection of this data by their management or designated representative.

Procedure

Individual business units are responsible for the development, documentation, and implementation of applicable procedures to effectuate this policy. Procedures are subject to review by the Compliance Committee.

Approved Uses of SSN

For processing payroll and other human resource functions, including benefits registration and processing, tax reporting, unemployment reporting, workers compensation, direct deposit and payroll deductions for University gifts or services such as parking fees, etc..

As required by the Internal Revenue Code under sections 3402(f)(2)(A) and 6109 and their regulations

For use in student admission and enrollment and included as part of the student’s demographic record, including to coordinate the transition from one educational institution to another.

As may be required by Section 483 and 484 of the Higher Education Act (HEA) of 1965

For use in scholarships and financial aid, including as required by federal law for financial aid reporting, financial aid transactions, and federal work-study.  Note that all loan applications use the SSN.

As may be required by Section 483 and 484 of the Higher Education Act (HEA) of 1965