Standard and Best Practices for Handling Social Security Numbers
Solicitation, Maintenance, Control, and Protection of Social Security Numbers
The University of Texas at El Paso (UTEP) has established Standard 13: Control and Protection of Social Security Numbers for the proper solicitation and use of Social Security Numbers (SSNs) as reasonably necessary in carrying out its responsibilities and conducting its daily business and academic activities that support its mission. The standard contains additional information and applies to all individuals, including students, retirees, employees, and external constituents.
The University shall not request, maintain or utilize individual SSNs for identification purposes except as required or permitted by Federal or state law. Except in those instances in which UTEP is legally required to collect a SSN, an individual shall not be required to disclose all or part of his or her SSN, nor shall the individual be denied access to the services at issue if the individual refuses to disclose his or her SSN. UTEP shall comply with the requirements of all federal and state statues governing solicitation, maintenance, and use of SSNs, including UTS165-UT System Information Resources Use and Security Policy. SSNs shall not be used as the primary identifier for basic campus services, unless required by statute.
Solicitation of SSNs and Notice Requirements
UTEP may request and solicit an individual's SSN in order to conduct its daily business and meet federal or state statutes. Any individual requested by UTEP to disclose his or her SSN shall be notified: 1) that disclosure of his or her SSN is mandatory to comply with federal or state statutes, 2) how the SSN will be used by UTEP, and 3) the statute or legal authority under which the SSN is being requested.
To comply with notice requirements, notices regarding mandatory disclosure of SSNs shall be placed directly on forms requesting SSNs from individuals or placed within an office in a prominent location reasonably visible by individuals disclosing their SSNs. Notices may be attached to current forms stock, if necessary, until the stock is reprinted and replenished at which time the federal or state statute must be stated. Please refer to Standard 13 for additional requirements.
For assistance in developing SSN disclosure notifications, contact the Information Security Office at (915) 747-6324, or via email at firstname.lastname@example.org.
Assignment of Unique Identification Numbers
A unique UTEP ID number has been assigned to all students, employees, retirees, applicants, contractors and other individuals as applicable at the earliest possible point of contact between the individual and the University. The UTEP ID number will be used to identify, track, and service individuals during the course of official university business.
Disclosure of SSNs not Mandated by Law or Statute
UTEP departments shall not require the disclosure of a SSN by an individual if it is not required to comply with federal or state statutes. Alternate means for tracking or identifying individuals should be established. UTEP ID numbers should be requested to provide services to students, faculty, staff, and retirees. For external parties, alternate means for tracking or identifying individuals shall be established. For assistance please contact the Information Security Office at (915) 747-6324.
Refusal by Individuals to Disclose SSNs
Except in those instances UTEP is legally required to collect SSNs, individuals refusing to disclose their SSNs should not be denied access to services.
Protection of SSNs and UTEP ID Numbers (80/88/60)
All SSNs obtained or maintained by UTEP shall remain confidential. Any use or disclosure of SSNs by UTEP for purposes other than those stated when the SSNs were solicited is prohibited without the written consent of the SSN holder.
Under no circumstances should SSNs or UTEP ID Numbers (80/88/60) be publicly posted, disclosed to the public, or shared with non-regulatory entities or individuals not directly involved in the department's daily business activities. Student grades or employee timecards may not be publicly posted or displayed with SSNs/UTEP ID Numbers or any portion of the SSN/UTEP ID Number that may directly or indirectly identify the individual.
SSNs will not be printed on UTEP Miner Gold ID card issued to students and staff. SSNs shall not be printed on a card or other device intended to provide access to a service or product.
Mailings of documents containing SSNs shall ensure that the SSN are protected, including non-exposure of SSNs through window envelopes.
SSNs will be protected to the extent provided by law.
Electronic Transmission and Use of SSNs
All requests for and transmittal of SSNs by UTEP electronically (e.g., Internet, phone, e-mail, etc.) shall be made over secured media and/or encryption. Any electronic or computer transmittal of files containing SSNs shall be secured with password, encryption, or other secured means. Please refer to UTEP Standard 2: Acceptable Use of Information Resources for more information.
Storage of Documents Containing SSNs
Paper, computerized, or electronic documents or files containing SSNs shall be protected at all times using physical and technical safeguards. Computer or electronic files containing SSNs shall not be stored or reside on equipment or systems that are not protected against unauthorized access.
Users shall store documents or other media containing SSNs or other information essential to the mission of the University on centrally managed servers rather than a local hard drive or portable device. In cases when a user must create or store SSNs on a local hard drive or portable device such as a laptop, computer, tablet computer, smart phone, etc., the user must ensure that the data is encrypted and that the device abides by all University and UT System policies and standards.
Specific permission must be obtained from the Department Head, Chair or Dean AND the CISO before a user may store SSNs on any personally owned computers, mobile devices, USB thumb drives, or similar devices. Such permission should be granted only upon demonstration of a business need and an assessment of the risk introduced by the possibility of unauthorized access or loss of the data. Any personally owned computing device that contains SSNs must be encrypted and configured to comply with all required University and UT System security controls as well as all policies and standards while holding such data.
Users who store SSNs using commercial cloud services must use services provided or sanctioned by the University rather than personally obtained cloud services.
Physical files containing SSNs shall be secured and made available only to authorized individuals. Please refer to UTEP Standard 11: Safeguarding Data for more information.
Disposal of Documents Containing SSNs
Provided State retention requirements have been met, paper and electronic documents or files containing SSNs will be disposed of in a secure fashion, such as shredding. Computer files containing SSNs residing on disks, tapes, or hard drives shall be appropriately destroyed. Please refer to UTEP Electronic Data Destruction Guidelines for more information.
Employees Using SSNs
All departments shall limit access to records containing SSNs to only those employees who need to see the number for the performance of the employee's job responsibilities. All employees with access to SSNs are required to protect the confidentiality of these numbers, or be subject to appropriate disciplinary action.
Disclosure to Outside Parties
SSNs may not be shared with outside parties unless required or permitted by law or consented to in writing by the individual. Disclosure to external parties is permitted provided they are an agent or contractor for the institution whom has agreed in writing to protect the confidentiality of SSNs.
Reporting SSN Compliance
Employees shall promptly report inappropriate disclosure or use of SSNs to their supervisors, who shall report the disclosure to the Information Security Office at (915) 747-6324 or email@example.com.
Revised and Approved by CISO: June 20, 2019