[X] Close Window

Frequently Asked Questions

A new FAQ posted 03/25/09 on the relationship between records retention and disposal requirements and SSN remedation.

General Questions

Why do we need to worry about protecting Social Security numbers?

As the SSN has grown in prevalence as a unique identifier it has become possible not only to discover a great deal of information about an individual, but also to initiate important business transactions using a person's SSN.

What steps is the University planning to take to address SSN use?

Remediation requirements for business processes and computer systems on grounds are being developed and work is currently underway to implement them.

What will be used in place of the SSN?

The University ID number will replace the SSN as the primary means of identifying individuals.

Does this mean that I don't ever have to give the University my Social Security number?

Although we are working hard to minimize the University's need to solicit SSN, you will still need to provide your SSN in some circumstances. Employees must provide SSN for tax reporting purposes and students must provide SSN for certain academic transactions, processing of loans, scholarships, and tuition tax credits.

I am still asked for my SSN while trying to transact business with the University. What's going on?

While we want everyone to be aware of the problems with divulging SSN, the process of moving away from SSNs and toward University IDs (involving hundreds of systems and millions of records) will take several years. Until this migration is complete please bear with us -- but don't hesitate to ask why the number is being requested and whether there is an alternative.

Policy Implementation Questions

Who is paying for the remediation process within my department?

Each unit is responsible for funding the remediation in its area.

What can our department use instead of SSNs?

The University ID number is the best replacement in most circumstances. On a case-by-case basis, it may be determined that computing ID is a better alternative, e.g. when the system includes a large number of non-UVa affiliates.

Will ISIS allow login or lookup using the new University ID number rather than SSN?

ISIS Online now allows users to login with their University ID numbers instead of their SSNs. An ISIS green screen is also now available to allow look ups by University ID numbers instead of SSNs.

Will the University ID number be used in the new Student System?

The University ID number will be stored in the new Student System, which will be using the University ID number wherever possible to integrate with other systems. The University ID number will also be available as a search field on some PeopleSoft pages.

Will the Integrated System and Human Resources use the University ID number?

University ID numbers are stored in the Integrated System as part of the employee record. How and when this information will be utilized is under discussion.

How does our department convert our current stores of SSNs in electronic systems to University ID numbers?

An interface has been developed to allow a one-time conversion of your data by reference to ISIS for student SSNs. Changes will also need to be made to ongoing feeds and interfaces to ensure data is mapped properly.

Why is the University doing this now? Why not just wait until the new Student System is in place?

All SSN data at the University (not just that of students) need protection now.
This process helps departments prepare for the transition to the new Student System by changing their processes and forms away from SSN, which won't be used in most cases by the new Student System.
There are many stores of SSN data in University departments completely independent of central systems like ISIS, Integrated System and the new Student System that need to be remediated.

How can we distinguish University ID numbers from SSNs?

Like SSNs, University ID numbers are 9-digit numbers. However, steps have been taken to reduce the possibility of University ID number-SSN overlap (e.g. out of the original random creation of 20,000+ University ID numbers, fewer than 100 matched SSNs already in our system and replacements were regenerated for those). So usually, if one is trying to look up someone based on University ID number and nothing is returned, the informant accidentally provided the SSN (or vice versa). To help distinguish which number is being asked for on a form, never refer to “ID #” but explicitly ask for “University ID number,” “ISIS ID number” or “SSN” as appropriate. Also, a helpful visual clue as to what is being requested in forms is the use of the 4 digit dash 5 digit format used by the University ID (xxxx-xxxxx) rather than the xxx-xx-xxxx format traditionally used for SSNs. The same is true for reports and print outs.

Are University ID numbers public information?

Although University ID numbers are not, strictly speaking, confidential, they should not be handled casually, and, particularly when used or stored in large quantities, should be well-protected. University ID numbers are defined as moderately sensitive data under U.Va.'s official Institutional Data Protection Standards.

What can individual faculty members do concerning their use of SSNs?

There are several actions faculty members can take, including:

Removing all old grade files
Use a tool like Identity Finder to locate files containing SSNs and delete them
Do not collect SSNs for any reason without departmental approval
Follow the University Registrar policy on posting grades

What about records retention requirements? (added 03/25/09)

Social Security Number Redaction and Records Management

As required by law:

Records containing SSN that have not met the retentions below may not be redacted, but should be retained in locked file cabinets in locked rooms with limited access. Because these retentions are required under the Virginia Public Records Act, we are required to retain these records unchanged.

Student Records:

Undergraduate Student – retain for 3 years after graduation or last date enrolled.

Graduate Student – retain for 10 years after graduation or last date enrolled.

Personnel Records (faculty, staff, wage): Retain for 5 years after termination or last date employed by the department.

Retention requirements are only applicable to departmental offices. Please note this is not applicable to records of Medical Students or Medical School Faculty; please contact the University Records Management Office for specific instructions on the retention of these records.

Records that have met the above retention should be destroyed in their entirety within 6 months of the completed retention period. If the department wishes to retain any of these records beyond the retention period (not recommended) the department will then be required to redact the SSN from the records (see Approved Redaction Methods below). If you have a legal need to retain the complete record beyond the retention period, please contact the University Records Management Office to discuss creation of a specific records series.

Individual supervisors and/or faculty may not retain student or employee information containing SSN outside of the official departmental office responsible for managing student and/or employee information.

Approved Redaction Methods

Non-electronic media:

Overwriting the SSN Information

Overwrite the SSN information on the original document with black marker.

Photocopy the original document.

Shred the original document in a cross-cut shredder.

File the photocopy.

Excising the Information

You may physically excise the SSN information using an exacto knife, scissors, hole punch or other means. (This assumes there is nothing on the backside of the document that needs to be kept and that the document will remain in one piece following such excision.)

Shred the excised portion in a cross cut shredder.

Electronic media:

Remove the SSN information from the document. If the document is a spreadsheet or database, remove the entire column or field containing the information.

Choose “Save as…” from the File menu (or equivalent) to save a fresh copy of the document.

“Shred” the original document securely; see “Secure Data Deletion” for details.

For additional information, please visit the University Records Management Office web page.

[X] Close Window



Project Charter Policies Frequently Asked Questions Project Organization Related Links Contact Us Home		Frequently Asked Questions A new FAQ posted 03/25/09 on the relationship between records retention and disposal requirements and SSN remedation. General Questions Why do we need to worry about protecting Social Security numbers? As the SSN has grown in prevalence as a unique identifier it has become possible not only to discover a great deal of information about an individual, but also to initiate important business transactions using a person's SSN. What steps is the University planning to take to address SSN use? Remediation requirements for business processes and computer systems on grounds are being developed and work is currently underway to implement them. What will be used in place of the SSN? The University ID number will replace the SSN as the primary means of identifying individuals. Does this mean that I don't ever have to give the University my Social Security number? Although we are working hard to minimize the University's need to solicit SSN, you will still need to provide your SSN in some circumstances. Employees must provide SSN for tax reporting purposes and students must provide SSN for certain academic transactions, processing of loans, scholarships, and tuition tax credits. I am still asked for my SSN while trying to transact business with the University. What's going on? While we want everyone to be aware of the problems with divulging SSN, the process of moving away from SSNs and toward University IDs (involving hundreds of systems and millions of records) will take several years. Until this migration is complete please bear with us -- but don't hesitate to ask why the number is being requested and whether there is an alternative. Policy Implementation Questions Who is paying for the remediation process within my department? Each unit is responsible for funding the remediation in its area. What can our department use instead of SSNs? The University ID number is the best replacement in most circumstances. On a case-by-case basis, it may be determined that computing ID is a better alternative, e.g. when the system includes a large number of non-UVa affiliates. Will ISIS allow login or lookup using the new University ID number rather than SSN? ISIS Online now allows users to login with their University ID numbers instead of their SSNs. An ISIS green screen is also now available to allow look ups by University ID numbers instead of SSNs. Will the University ID number be used in the new Student System? The University ID number will be stored in the new Student System, which will be using the University ID number wherever possible to integrate with other systems. The University ID number will also be available as a search field on some PeopleSoft pages. Will the Integrated System and Human Resources use the University ID number? University ID numbers are stored in the Integrated System as part of the employee record. How and when this information will be utilized is under discussion. How does our department convert our current stores of SSNs in electronic systems to University ID numbers? An interface has been developed to allow a one-time conversion of your data by reference to ISIS for student SSNs. Changes will also need to be made to ongoing feeds and interfaces to ensure data is mapped properly. Why is the University doing this now? Why not just wait until the new Student System is in place? All SSN data at the University (not just that of students) need protection now. This process helps departments prepare for the transition to the new Student System by changing their processes and forms away from SSN, which won't be used in most cases by the new Student System. There are many stores of SSN data in University departments completely independent of central systems like ISIS, Integrated System and the new Student System that need to be remediated. How can we distinguish University ID numbers from SSNs? Like SSNs, University ID numbers are 9-digit numbers. However, steps have been taken to reduce the possibility of University ID number-SSN overlap (e.g. out of the original random creation of 20,000+ University ID numbers, fewer than 100 matched SSNs already in our system and replacements were regenerated for those). So usually, if one is trying to look up someone based on University ID number and nothing is returned, the informant accidentally provided the SSN (or vice versa). To help distinguish which number is being asked for on a form, never refer to “ID #” but explicitly ask for “University ID number,” “ISIS ID number” or “SSN” as appropriate. Also, a helpful visual clue as to what is being requested in forms is the use of the 4 digit dash 5 digit format used by the University ID (xxxx-xxxxx) rather than the xxx-xx-xxxx format traditionally used for SSNs. The same is true for reports and print outs. Are University ID numbers public information? Although University ID numbers are not, strictly speaking, confidential, they should not be handled casually, and, particularly when used or stored in large quantities, should be well-protected. University ID numbers are defined as moderately sensitive data under U.Va.'s official Institutional Data Protection Standards. What can individual faculty members do concerning their use of SSNs? There are several actions faculty members can take, including: Removing all old grade files Use a tool like Identity Finder to locate files containing SSNs and delete them Do not collect SSNs for any reason without departmental approval Follow the University Registrar policy on posting grades What about records retention requirements? (added 03/25/09) Social Security Number Redaction and Records Management As required by law: Records containing SSN that have not met the retentions below may not be redacted, but should be retained in locked file cabinets in locked rooms with limited access. Because these retentions are required under the Virginia Public Records Act, we are required to retain these records unchanged. Student Records: Undergraduate Student – retain for 3 years after graduation or last date enrolled. Graduate Student – retain for 10 years after graduation or last date enrolled. Personnel Records (faculty, staff, wage): Retain for 5 years after termination or last date employed by the department. Retention requirements are only applicable to departmental offices. Please note this is not applicable to records of Medical Students or Medical School Faculty; please contact the University Records Management Office for specific instructions on the retention of these records. Records that have met the above retention should be destroyed in their entirety within 6 months of the completed retention period. If the department wishes to retain any of these records beyond the retention period (not recommended) the department will then be required to redact the SSN from the records (see Approved Redaction Methods below). If you have a legal need to retain the complete record beyond the retention period, please contact the University Records Management Office to discuss creation of a specific records series. Individual supervisors and/or faculty may not retain student or employee information containing SSN outside of the official departmental office responsible for managing student and/or employee information. Approved Redaction Methods Non-electronic media: Overwriting the SSN Information Overwrite the SSN information on the original document with black marker. Photocopy the original document. Shred the original document in a cross-cut shredder. File the photocopy. Excising the Information You may physically excise the SSN information using an exacto knife, scissors, hole punch or other means. (This assumes there is nothing on the backside of the document that needs to be kept and that the document will remain in one piece following such excision.) Shred the excised portion in a cross cut shredder. Electronic media: Remove the SSN information from the document. If the document is a spreadsheet or database, remove the entire column or field containing the information. Choose “Save as…” from the File menu (or equivalent) to save a fresh copy of the document. “Shred” the original document securely; see “Secure Data Deletion” for details. For additional information, please visit the University Records Management Office web page.

Frequently Asked Questions

General Questions

Policy Implementation Questions

SSN Initiative