Social Security Number Protection Policy
Policy 3.1 Social Security Number Protection Policy
Category: Information Privacy
Effective: April 2, 2015
Revision History: January 29, 2018
Review Date: January 2021
PURPOSE AND SCOPE
. West Virginia University (WVU) recognizes that it collects and maintains
confidential information relating to its students, employees and individuals
associated with the University. WVU is committed to maintaining the privacy
and confidentiality of an individual’s Social Security number (SSN). This
policy establishes the responsibilities of all WVU organizational units regarding
the use and protection of SSNs.
. This policy applies to all University staff, faculty, and students as well
as any third-parties that have access to, collect or use an individual’s
Social Security number.
- Purpose . West Virginia University (WVU) recognizes that it collects and maintains confidential information relating to its students, employees and individuals associated with the University. WVU is committed to maintaining the privacy and confidentiality of an individual’s Social Security number (SSN). This policy establishes the responsibilities of all WVU organizational units regarding the use and protection of SSNs.
- The WVUID Number (WVUID) will act as the primary identifier used by the University in all information systems and as the primary identifier in electronic communications. The University will discontinue the use of SSN as the primary identifier in all instances except where required by federal or state law. Faculty, staff, students, organizational units and third parties working for and with the University will not solicit SSNs except when required by federal or state law.
- All University units are expected to follow published procedures in maintaining the security and privacy of SSN data. Units and individuals are also expected to follow procedures maintained by Information Technology Services and WVU designated data stewards related to the collection, dissemination and security of SSN data. These procedures are posted on the Information Technology Services website.
- Units or individuals responsible for breaching the privacy of another person by improperly obtaining, using or disclosing a SSN are subject to discipline as provided in the applicable WVU Employee and Student Life procedures.
- The following applies to all University organizational units:
- Employees and students shall comply with the provisions of this policy, as well as related institutional policies and procedures.
- Employees may not request an individual’s Social Security number unless
the request is part of their job duties and necessary for University
- Employees and students shall not disclose the SSN of another person unless it is necessary for the continuance of University operations.
- Employees and students may not seek out or use the SSN of another person for their personal advantage.
- Employees responsible for the maintenance of records containing SSNs shall observe all University published policies and procedures in order to protect the confidentiality of such records.
- Employees shall report promptly to Information Security Services and their supervisors any inappropriate disclosure of an SSN.
- If SSNs are inappropriately disclosed and individuals have been put at risk of identity theft or other harm as a result, Information Security Services and the Office of Legal Affairs shall be notified within 24 hours of the discovery of the release.
Employees and units shall identify and report to Information Security Services any current process using SSNs that are not used for the continuance of University operations.
Employees and units shall report to Information Security Services improper storage of SSNs (e.g., SSNs stored on a computer’s desktop or on removable media).
- Data stewards: WVU executive officers or their designees who have planning and policy-level responsibilities for data in their functional areas and have management responsibilities for recognized information systems.
- Electronic communications: Communications that have been designated as not being secure (e.g., email, public websites, social media).
Information Security Services: Contact information is
- Office of Legal Affairs: Contact information is email@example.com.
- Information systems: Computer systems used for academic, administrative and research operations.
- Personally identifiable information (PII): Data that identifies an individual, including, but not limited to, Social Security number, driver’s license number, credit card numbers, bank account information, employee performance or salary information, student grades, disciplinary information or account passwords.
- University operations: Operations designated as essential to the administrative needs of employees and operations designed as essential to the academic needs of students.
- WVUID: An internally-generated number used to identify individuals associated with WVU.
- WVU IT enterprise: All WVU-owned information technology assets.
- WVU third-party: An individual or an entity that has an affiliation with WVU (e.g., retirees, consultants, presenters, camp attendees, vendors).
- WVU’s Chief Information Officer, supported by the Chief Information Security and Privacy Officer, will coordinate with identified data stewards the implementation and enforcement of this policy.
- Violation or non‐compliance of this policy will be addressed in accordance with established WVU disciplinary policies and procedures, as issued and enforced by the appropriate authorities. Failure to comply with this or other related standards may result in disciplinary action up to and including termination of employment or studies.
- All other University policies are also applicable to the electronic environment. Relevant institutional policies include, but are not limited to: