The University's previous Information Technology Policy has been updated to include a data classification section. It defines the categories of Legally Restricted, Confidential, Internal University Use Only, and Public, and describes generally the level of protection each must receive. HR Policy 108 also requires University employees to protect confidential information. The new SSN/PII policy has been created to provide additional guidance on these types of Legally Restricted data and how they may be collected, maintained, and destroyed. It prohibits a number of specific uses that have a high potential for disclosure.
The reasons for this Policy are to prevent identity theft through unauthorized use of an individual's SSN and/or PII and to comply with New York law. New York law mandates reporting to State agencies and to the individuals affected, whenever a SSN is disclosed in a manner not in compliance with law. New York law places specific restrictions on how an individual's SSN and PII may be acquired, used, stored and communicated.
Yes, if it is needed for a current business purpose and you are recording SNN in a data collection that has been registered. If you are planning to create a new data collection containing SSN, consult with a University Privacy Officer first.
You need to consider all of your email. If you have been following a consistent email filing practice, you may have very few places that you need to look through. For example, you may have received SSNs only in the course of performance evaluations or wage & salary programs and have filed all such email in one folder. Within those places, first look at your received and sent email that contain attachments. If any contains SSN, consider whether you can now delete the attachment or the whole email, perhaps because you can rely on another office to maintain the primary copy of the same information. Then, apply the same process to message text in those email folders that are likely to contain SSN.
As with email (see above), you need to consider all of your files. Pay particular attention to collections of forms. Note that forms may have changed over the years and that older forms may have invited or required entry of SSN while newer forms may not.
If you keep that e-mail, you will be creating a data collection containing SSN that you will have to register. If you forward and delete the e-mail, make sure that you don't retain a copy in a "sent mail" folder. Printing out and deleting the e-mail won't solve your problem. If you retain someone else's SSN in any medium in any location under your control, you are creating a data collection that you must register.
Each data collection kept in a different place under different security controls creates more risk of inadvertent disclosure. If your proposed conversion from paper to digital eliminates a confidential data storage location and if the digital copies will be stored in a previously existing secure storage location, then you probably will reduce the University's overall risk. Contact your IT security support team for an assessment.
First, consider whether you need to continue sending SSN at all. Every time you send SSN, you are making a copy that needs to be protected in transit and at its destination. Review with your privacy officer whether there might be a different workflow that would allow SSN to stay where it is and be viewed securely by authorized persons.
If you must send SSN, follow these guidelines for secure communication.
Communication across the following data networks is considered adequately secure for SSN and other Legally Restricted Information:
1) University wired data networks
2) University wireless data networks named UR_RC_DomainAuth, UR_RC_InternalSecure, or UR_MCwireless. Communication across all other networks, especially across the Internet outside the University, requires additional security measures, such as
a) https - the secure communication mode for Web browsers
b) sftp and scp - secure file transfer software
c) Virtual Private Networking (VPN) provided by University IT and URMC ISD
d) Secure Email Service (currently available only to URMC e-mailboxes)
e) encrypted .zip archives
To be certain, you might have to cut out and shred the SSN. A permanent ink marker might be sufficient. You would need to hold the form up to a light to see whether the marker has made the SSN completely unreadable. Be aware that copy machines and fax machines can highlight very subtle differences in color density, possibly revealing SSNs that have not been thoroughly blacked out or that have been blacked out with a different type of ink.
The departmental green or blue copies of payroll sheets, used before the PeopleSoft HRMS system, should be shredded ASAP. The Payroll and Employment Records Center has already shredded the paper originals.
There is no need for departments to retain W-9 forms. When W-9 forms are required, they should be completed and sent to University Finance immediately. Any W-9 copy currently held by a department should be shredded ASAP. See also the Finance policy on payments to study subjects.
The purpose of this form is to inform University risk managers of storage practices for restricted
data types in all areas of the University. This information will be used to direct educational and
risk reduction efforts to those situations that present the most significant reputational and financial
risks to the University.
ITINs typically are formatted like SSNs, are entered into the same data collection fields as SSNs, and are used for tax reporting purposes. When in doubt, treat ITINs like SSNs. Unless you are certain that a given data collection contains ITINs and no SSNs, now and in foreseeable future additions to that data collection, you should register the data collection.
Two data collections, because they are on different media. Typically, different media have different
access control mechanisms that will need to be evaluated. You may wish to consider whether you can properly
dispose of one of the copies in order to avoid having to register that collection.
If each staff member controls access to a separate collection containing SSN, for example, a set of
personnel files containing SSN that the staff member keeps locked in his or her desk, then that staff
member must register that collection. Alternatively, if staff members return personnel files to a central
storage location in the office at the end of the business day, then only the manager would need to
complete a registration for that central collection. If staff members do their work within a
storage location that is locked at the end of the business day, the contents of that location might
be considered a single collection. Contact your privacy officer for an evaluation of atypical storage
situations.
To determine who the data custodian might be, look for the person who decides who is permitted access
to the smallest or lowest level container that secures access to the data. For example, if the data
is in an unencrypted Access database sitting in a file share, then the person who decides who has access
to the file share is the custodian of that database. On the other hand, if the database
is encrypted, the person who decides who is given the decryption key or password is the custodian.
The system administrator of a multi-file-share server typically would not be a data custodian under
this policy, because that person is not deciding who is authorized to access each file share.
University Finance policy on payments to study subjects requires that a W-9 form, including SSN, be completed and immediately sent to Finance when total payments to a study participant for the year for a given study reach $275 or more. Copies of W-9 forms should not be retained by the research study or department. If a study has been authorized to collect SSN for purposes other than payment, that collection of SSNs must be registered.
The custodian of the collection in the physician’s office might be the physician or the office
manager. The custodian at the ambulatory department might be the administrator of that department. Although
the specific patient files held at each of those locations may change over time, the ongoing existence
of a collection of patient files at each location must be registered.
No, if you hand these back by the end of the business day. If you routinely keep a (possibly changing)
set of such folders in your possession, you must register this collection.
By completing all elements of the registration form and e-mailing it from a University e-mail
address SSNRegistry@rochester.edu, you are
attesting to the accuracy of the information. No other electronic confirmation or signature is required.
The form currently includes only Part 1 of the registration. When the Privacy Officer follows up with
you on Part 2 of the registration, you will be asked for this information.
NYS labor law section 203-d, effective 1/3/09, defines employee PII as
• social security number
• home address or telephone number
• personal electronics mail address
• Internet identification name or password
• parent's surname prior to marriage
• drivers’ license number or nondriver identification number
Yes. However, the NYS Employee Personal Identifying Information Law effective 1/3/09 prohibits the
University or any employer from making an employee's home telephone number (and several other kinds
of PII) available to the general public.