Social Security Numbers (SSN)
In today's world no one can be too careful or too vigilant in protecting your own identity and confidential information. Top of the list is the Social Security Number or SSN, which is the gateway to your identity with or without a name, address, and phone number attached. In the work environment, the KU Community must also be cautious to protect the identities and information of the students, faculty and staff with whom we serve everyday. Attached is a SSN Self-Assessment Survey Tool to assist each department in the search for SSN.
- SSN Self Assessment Survey
- KU Privacy Audit (49 KB PDF)
- Does HIPAA/GLBA/FERPA/PCI apply to my department/unit? (88 KB PDF)
Guidance for handling sensitive, confidential or nonpublic information
The University’s goal is to use sensitive, confidential and/or private information only when necessary for processing required paperwork or as required by law. Users and holders of sensitive, nonpublic information or data are responsible for the confidentiality and security of the information they maintain and use. Thus, the following requirements apply and should be implemented immediately by all departments, units, faculty and staff in their university duties (academic and administrative) to assist in the security and integrity of this sensitive, nonpublic information including but not necessarily limited to the following:
- Social Security Numbers (SSN)
- KU ID numbers
- Credit Card Numbers
- Individually Identifiable Information used in Research
- Medical/Individually Identifiable Health Information (IIHI)
- Financial/Nonpublic Personal Information (NPI)
- Grades, Student Records or personally identifiable information (PII) (KU Student Records Policy)
Recommended 12 Steps to Improved SSN Handling
- Assess Your IT Systems: Check in with the IT Security Office for information on assessing your systems that may contain sensitive, nonpublic and/or confidential information or data.
- IT Security Office (ITSO)
- Review written agreements associated with the transfer of sensitive, nonpublic and/or confidential information or data for requirements and procedures
- Use strong passwords & inactivity log-offs on all computers, portable devices or removable media
- Purge SSN from your computer (hard or storage drives, including any storage or removable media/drives), portable devices (PDA, laptop), email (including attached files) and department/shared network whenever they are not absolutely necessary. Sanitize by overwriting or
- Beware spreadsheets. Do not retain information on sensitive, nonpublic and/or confidential information or data in a spreadsheet or other e-file (including word, excel, access, webpage, database) unless placed on a secure server (e.g. IS computer farm) and properly encrypted/access restricted through ITSO.
- E-mail is a postcard. Do not request or send sensitive, nonpublic and/or confidential information or data (esp. SSN and Credit Card numbers) or data by email—encrypt it if you have to send it and keep the password completely separated from the file.
- Limit transfer of information. When sensitive, nonpublic and/or confidential information or data is required for doing business, provide such information either in-person or by facsimile transmission (if fax is located in a secure area with limited access for sending and receiving of information)
- Lock up documents. Paper documents containing sensitive, nonpublic and/or confidential information or data should be kept in a secure, locked environment with limited access only.
- Annually review your files & records for materials which may be purged or are no longer needed. If on a hard-drive, ensure you "wipe" it clean pursuant to ITSO standards.
- IMMEDIATELY report any breach (suspected or confirmed), loss of portable devices or media, or theft to the IT Security Office and Privacy Office.
- Follow all policies and procedures regarding data and inquire with the ITSO or the Privacy Office about additional steps you may take to secure the privacy and retention of sensitive, nonpublic and/or confidential information or data.
- Retain records as directed. Records with protected health information (PHI) for 6 years from date of creation.
Records that may be part of litigation—anticipated or on-going must be retained unless released by the Office of the General Counsel.