By Jennifer Wedow
The University's new policy on Social Security numbers and personal identifying information was adopted in January, and departments that have helped pilot the new effort say the implementation has been successful so far. Julie Myers, the University's chief information security officer, says the process is helping to raise awareness among staff members about the importance of protecting personal information.
"We've definitely reduced our Social Security footprint," says Dave Garcia, director of IT at the Warner School, one of the sites piloting use of the new registration process.
The policy is part of an ongoing effort to ensure that safeguards are in place to keep Social Security numbers and other personal identifying information—such as home addresses and telephone numbers—of faculty, staff, and students safe. Individuals who currently are custodians of a data collection containing Social Security numbers or Personal Identifying Information are asked to strongly consider if they truly need to retain the collection. If not, they are asked to securely dispose of the information.
If an individual is going to retain the collection, registration is an important first step in protecting the information. Any person at the University who possesses or is responsible for providing access to Social Security numbers is required to register the data collection(s) with a University privacy officer by June 30 and to agree to follow guidelines of the new policy.
As the policy rollout got under way earlier this year, Myers says University IT recognized the compliance process might seem daunting to some units and they wanted to identify ways to streamline the effort.
“We felt that using a couple of pilot groups to validate the processes and providing FAQs via a Web page was a critical step in helping to ensure we did not cause chaos and frustration for those who would need to comply with the new policy.”
Myers says the Warner school and the psychiatry department have proved to be ideal pilot sites. “When we started the pilot, the Warner team felt like they had the Social Security number situation under control,” explains Myers. “But, after a week of investigation, they realized that the situation was much more pervasive then they had ever imagined.”
Based on the lesson learned from the pilot project, Myers and the Privacy and Information Security Officer teams are developing a how-to Web site to help other units that are starting their compliance effort. Myers expects the site to go live in early April.
Pamela Black-Colton, executive director of admissions and marketing at Warner, says raising awareness of how personal identifying information is used has been key.
"We found Social Security numbers in surprising places," including old course evaluation forms, Black-Colton adds.
The next step at Warner is to review how they conduct their day to day operations—they are looking at their business practices and processes to make them more efficient and secure.
"We want to make sure we're doing things in the best way possible as far as managing Social Security numbers." Garcia explains.
The Warner School Finance Office prepared a document that summarizes the University’s Policy on Retention of Records. This document gives clear guidelines for how personal information should be used, stored, and disposed.
The psychiatry department at the Medical Center also piloted use of the new registration process. LouAnne Jaeger, director of information systems in psychiatry, describes a similar experience to that at Warner during the registration process.
"I realized in my files that I've got old reviews for people that have Social Security numbers, so I did a whole day of shredding," she says.
She adds that the policy has caused the department of about 800 employees to modify internal forms they have been using for years that no longer require Social Security numbers.
Cathi Gray, administrator for academic affairs at the School of Medicine and Dentistry, says she also found implementing the new policy “fairly seamless” and the registration process “very easy to follow.”
She says she did learn, with the help of Medical Center Chief Privacy Officer Peter Chesterton, that a record kept in both electronic and paper form needs to be registered twice—once for each medium in which it’s kept.
Back at Warner, registration efforts were tied into the school's "Clean and Go Green" event. Nearly 40 staff members got together in January to physically clean out their offices and recycle unneeded papers and office supplies.
"Everyone felt so great afterward," Black-Colton says. "It built a real team experience."
As staff members discovered items containing Social Security numbers or other personal identifying information, the items were registered or properly destroyed if they were no longer needed.
Black-Colton says another Clean and Go Green event is tentatively planned for May—with a focus on electronic information.
All departments are required to complete the registration process by June 30. View the University's Social Security number/personal identifying information policy online at www.rochester.edu/it/policy/SSN-PPI. If you have any questions or would like a University privacy officer to attend one of your staff meetings to outline the new guidelines, call 273-1804 or 275-7059 (Medical Center only.)