|[X] Close Window|
The Administrative Data Access Policy covers University handling of all sensitive data, including SSNs. This policy is expected to be replaced by three more explicit policies: 1) a Data Classification policy, 2) a Data Stewardship policy, and 3) a Social Security Number policy. These new policies will be publicized when issued.
The University Policy Office announced the issuance of University Policy IRM-014, Protection & Use of Social Security Numbers on 12/10/07.
The policy specifies limited conditions under which SSNs may be collected, used and/or reported. Its implementation reduces the University's risk of unauthorized exposure of SSNs by minimizing the amount of SSN data stored and increasing the security of these data stores.
In order to meet the policy requirements, departments will need to get approval before using SSNs in any new way. By July 1, 2008, departments will need to identify all records and records systems within their purview that use SSNs and develop a remediation plan, which, following approval, must be implemented by July 1, 2009.
The FAQs include some policy implementation questions.
The overview presentation (given at multiple sessions during the initial initiative roll out) is available as a PDF in both short and full form: