Social Security Numbers (SSN)
Guidance for handling sensitive, confidential or nonpublic information
Recommended 12 Steps to Improved SSN Handling
- Social Security Numbers (SSN)
- KU ID numbers
- Credit Card Numbers
- Individually Identifiable Information used in Research
- Medical/Individually Identifiable Health Information (IIHI)
- Financial/Nonpublic Personal Information (NPI)
- Grades, Student Records or personally identifiable information (PII) (KU Student Records Policy)
- Assess Your IT Systems: Check in with the IT Security Office for information on assessing your systems that may contain sensitive, nonpublic and/or confidential information or data.
- IT Security Office (ITSO)
- Review written agreements associated with the transfer of sensitive, nonpublic and/or confidential information or data for requirements and procedures
- Use strong passwords & inactivity log-offs on all computers, portable devices or removable media
- Purge SSN from your computer (hard or storage drives, including any storage or removable media/drives), portable devices (PDA, laptop), email (including attached files) and department/shared network whenever they are not absolutely necessary. Sanitize by overwriting or
- Beware spreadsheets. Do not retain information on sensitive, nonpublic and/or confidential information or data in a spreadsheet or other e-file (including word, excel, access, webpage, database) unless placed on a secure server (e.g. IS computer farm) and properly encrypted/access restricted through ITSO.
- E-mail is a postcard. Do not request or send sensitive, nonpublic and/or confidential information or data (esp. SSN and Credit Card numbers) or data by email—encrypt it if you have to send it and keep the password completely separated from the file.
- Limit transfer of information. When sensitive, nonpublic and/or confidential information or data is required for doing business, provide such information either in-person or by facsimile transmission (if fax is located in a secure area with limited access for sending and receiving of information)
- Lock up documents. Paper documents containing sensitive, nonpublic and/or confidential information or data should be kept in a secure, locked environment with limited access only.
- Annually review your files & records for materials which may be purged or are no longer needed. If on a hard-drive, ensure you "wipe" it clean pursuant to ITSO standards.
- IMMEDIATELY report any breach (suspected or confirmed), loss of portable devices or media, or theft to the IT Security Office and Privacy Office.
- Follow all policies and procedures regarding data and inquire with the ITSO or the Privacy Office about additional steps you may take to secure the privacy and retention of sensitive, nonpublic and/or confidential information or data.
- Retain records as directed. Records with protected health information (PHI) for 6 years from date of creation.
Records that may be part of litigation—anticipated or on-going must be retained unless released by the Office of the General Counsel.