- When did the University adopt this policy?
- The policy was adopted January 2009.
- How does it differ from the previous policy?
- The University's previous Information Technology Policy has been updated to include a data classification section. It defines the categories of Legally Restricted, Confidential, Internal University Use Only, and Public, and describes generally the level of protection each must receive. HR Policy 108 also requires University employees to protect confidential information. The new SSN/PII policy has been created to provide additional guidance on these types of Legally Restricted data and how they may be collected, maintained, and destroyed. It prohibits a number of specific uses that have a high potential for disclosure.
- Why do we need yet another policy?
- The reasons for this Policy are to prevent identity theft through unauthorized use of an individual's SSN and/or PII and to comply with New York law. New York law mandates reporting to State agencies and to the individuals affected, whenever a SSN is disclosed in a manner not in compliance with law. New York law places specific restrictions on how an individual's SSN and PII may be acquired, used, stored and communicated.
- Whom do I contact if I have questions about the policy or the registration process?
- Am I still permitted to record SSN?
- Yes, if it is needed for a current business purpose and you are recording SNN in a data collection that has been registered. If you are planning to create a new data collection containing SSN, consult with a University Privacy Officer first.
- Does the SSN-PII policy apply to affiliate organizations of the University,
such as Highland Hospital and Visiting Nurse Service? What about the related IT and record retention
- None of these policies applies directly. The affiliates will be adopting their own policies, which will be similar to these University policies.
- Do I have to look through all of my email for SSN?
- You need to consider all of your email. If you have been following a consistent email filing practice, you may have very few places that you need to look through. For example, you may have received SSNs only in the course of performance evaluations or wage & salary programs and have filed all such email in one folder. Within those places, first look at your received and sent email that contain attachments. If any contains SSN, consider whether you can now delete the attachment or the whole email, perhaps because you can rely on another office to maintain the primary copy of the same information. Then, apply the same process to message text in those email folders that are likely to contain SSN.
Do I have to look through all of my paper or electronic files to find all documents
or records containing SSN?
- As with email (see above), you need to consider all of your files. Pay particular attention to collections of forms. Note that forms may have changed over the years and that older forms may have invited or required entry of SSN while newer forms may not.
- If I receive an e-mail containing someone's SSN, does that make me a custodian?
- If you keep that e-mail, you will be creating a data collection containing SSN that you will have to register. If you forward and delete the e-mail, make sure that you don't retain a copy in a "sent mail" folder. Printing out and deleting the e-mail won't solve your problem. If you retain someone else's SSN in any medium in any location under your control, you are creating a data collection that you must register.
- I have paper records containing SSN that I plan to retain. Is it safer
to retain them in paper or to scan them to digital form and shred the paper?
- Each data collection kept in a different place under different security controls creates more risk of inadvertent disclosure. If your proposed conversion from paper to digital eliminates a confidential data storage location and if the digital copies will be stored in a previously existing secure storage location, then you probably will reduce the University's overall risk. Contact your IT security support team for an assessment.
- How do I make sure that SSN is secure when I send it electronically - for
example, by e-mail or file transfer?
- First, consider whether you need to continue sending SSN at all. Every time you send SSN, you are making a copy that needs to be protected in transit and at its destination. Review with your privacy officer whether there might be a different workflow that would allow SSN to stay where it is and be viewed securely by authorized persons.
If you must send SSN, follow these guidelines for secure communication.
Communication across the following data networks is considered adequately secure for SSN and other Legally Restricted Information:
1) University wired data networks
2) University wireless data networks named UR_RC_DomainAuth, UR_RC_InternalSecure, or UR_MCwireless. Communication across all other networks, especially across the Internet outside the University, requires additional security measures, such as
a) https - the secure communication mode for Web browsers
b) sftp and scp - secure file transfer software
c) Virtual Private Networking (VPN) provided by University IT and URMC ISD
d) Secure Email Service (currently available only to URMC e-mailboxes)
e) encrypted .zip archives
For assistance with any of these security measures, contact the IT Center or the URMC ISD Help Desk.
- If I want to retain a paper record that happens to contain an SSN but
I don't need SSN, can I just black out the SSN and continue to retain the record without
- Possibly. If you make the SSN unreadable and unrecoverable from that record, you do not need to register the record.
- What is considered a sufficient method of redacting SSN in paper forms?
A permanent ink marker?
- To be certain, you might have to cut out and shred the SSN. A permanent ink marker might be sufficient. You would need to hold the form up to a light to see whether the marker has made the SSN completely unreadable. Be aware that copy machines and fax machines can highlight very subtle differences in color density, possibly revealing SSNs that have not been thoroughly blacked out or that have been blacked out with a different type of ink.
- What do we do with old paper payroll documents, such as payroll reporting "green
- The departmental green or blue copies of payroll sheets, used before the PeopleSoft HRMS system, should be shredded ASAP. The Payroll and Employment Records Center has already shredded the paper originals.
- What do we do with old W-9 forms?
- There is no need for departments to retain W-9 forms. When W-9 forms are required, they should be completed and sent to University Finance immediately. Any W-9 copy currently held by a department should be shredded ASAP. See also the Finance policy on payments to study subjects.
- Why do we need yet another form?
- The purpose of this form is to inform University risk managers of storage practices for restricted
data types in all areas of the University. This information will be used to direct educational and
risk reduction efforts to those situations that present the most significant reputational and financial
risks to the University.
- Do I have to register data collections that do not contain SSN?
- No, as long as no part of SSN is included in the collection.
- Do I have to register a data collection that contains only the last
four digits of SSN, or some other part of SSN, but not a whole SSN?
- Yes, partial SSN is treated the same as full SSN for the purposes of this policy.
- Are ITINs ( Individual Taxpayer Identification Numbers) to be treated the same as SSNs?
- ITINs typically are formatted like SSNs, are entered into the same data collection fields as SSNs, and are used for tax reporting purposes. When in doubt, treat ITINs like SSNs. Unless you are certain that a given data collection contains ITINs and no SSNs, now and in foreseeable future additions to that data collection, you should register the data collection.
- If I have both electronic and paper copies of the same data,
do I have to register one data collection or two?
- Two data collections, because they are on different media. Typically, different media have different
access control mechanisms that will need to be evaluated. You may wish to consider whether you can properly
dispose of one of the copies in order to avoid having to register that collection.
- Is a separate registration form required from each staff member in
our department, or just one from our manager?
- If each staff member controls access to a separate collection containing SSN, for example, a set of
personnel files containing SSN that the staff member keeps locked in his or her desk, then that staff
member must register that collection. Alternatively, if staff members return personnel files to a central
storage location in the office at the end of the business day, then only the manager would need to
complete a registration for that central collection. If staff members do their work within a
storage location that is locked at the end of the business day, the contents of that location might
be considered a single collection. Contact your privacy officer for an evaluation of atypical storage
- We keep a database containing SSN on a file server. Who is the custodian
who will have to register that data collection?
- To determine who the data custodian might be, look for the person who decides who is permitted access
to the smallest or lowest level container that secures access to the data. For example, if the data
is in an unencrypted Access database sitting in a file share, then the person who decides who has access
to the file share is the custodian of that database. On the other hand, if the database
is encrypted, the person who decides who is given the decryption key or password is the custodian.
The system administrator of a multi-file-share server typically would not be a data custodian under
this policy, because that person is not deciding who is authorized to access each file share.
- Do I have to register collections containing SSN that are maintained
for UR by a business partner under contract to UR?
- Yes. The UR employee who is responsible for monitoring the contract is the custodian for that data
collection under this policy.
- Do I have to register collections containing SSN that are maintained
by non-UR persons or organizations to which UR is required to contribute data, but not under contract
- The University requires us to collect SSN during clinical trial
registration for payment purposes. Do I have to register all of these study participants?
- University Finance policy on payments to study subjects requires that a W-9 form, including SSN, be completed and immediately sent to Finance when total payments to a study participant for the year for a given study reach $275 or more. Copies of W-9 forms should not be retained by the research study or department. If a study has been authorized to collect SSN for purposes other than payment, that collection of SSNs must be registered.
- Who needs to register a collection of paper medical records that
move from a physician's office to an ambulatory department?
- The custodian of the collection in the physician’s office might be the physician or the office
manager. The custodian at the ambulatory department might be the administrator of that department. Although
the specific patient files held at each of those locations may change over time, the ongoing existence
of a collection of patient files at each location must be registered.
- Do I have to register the fact that I receive prospective
student folders (that contain SSN) for short periods of time and then hand these back to enrollment
- No, if you hand these back by the end of the business day. If you routinely keep a (possibly changing)
set of such folders in your possession, you must register this collection.
- Do I have to sign my registration form? How do I do that?
- By completing all elements of the registration form and e-mailing it from a University e-mail
address SSNRegistry@rochester.edu, you are
attesting to the accuracy of the information. No other electronic confirmation or signature is required.
- The Currents article says that we have to state who has access
to the collection. Where should that be entered on the registration form?
- The form currently includes only Part 1 of the registration. When the Privacy Officer follows up with
you on Part 2 of the registration, you will be asked for this information.