INFORMATION SECURITY POLICIES

Related Links

 

 

UW-WHITEWATER SOCIAL SECURITY NUMBER POLICIES AND GUIDELINES

Approved by Chancellor Telfer on July 27, 2009

A.  Purpose

The purpose of this policy is to provide information and rules of conduct for protecting the confidential nature of social security numbers used at or by the University.  Protection of this information is required by laws and regulations such as the federal Family Educational Rights and Privacy Act (FERPA).  A security breach or unintentional disclosure of this information may require public notification per 2005 Wisconsin Act 138.

B.  Scope

These policies and guidelines apply to all Employees and School Officials, as defined below.
These policies and guidelines apply only to University owned electronic data stored on or transmitted by digital systems managed by the University of Wisconsin–Whitewater or by entities explicitly contracted as agents of the University.

C.  Definitions

  1. "WINS" is an acronym used to identify the University’s human resources and student information systems.  UWW students, faculty and staff are granted secure access to data in WINS consistent with their relative roles on the campus and the needs of these roles.
  2. "Student" is defined as a person who meets one or more of the following conditions:  
    • Has a UW-Whitewater WINS student record as a prospective applicant, an applicant for admission, and/or a student who is or was enrolled in classes (past, present, future terms);
    • Has a non-WINS academic record that is maintained by the Registrar’s Office (e.g., the person was enrolled in credit classes prior to fall 1979, Milton College records, etc.);
    • Has enrolled in UW-Whitewater sponsored non-credit activity including, but not limited to, camps, workshops, seminars, and courses.
  3. "Employee" is a person who has a current, active appointment or agreement to work for the University.  This includes student workers and limited-term, classified, unclassified, and contracted employees.
  4. "School Official" is a person who serves the University in an administrative, supervisory, academic, research, or support staff position, including law enforcement personnel, health staff, and student employees. This definition also includes any external people or parties with whom the University has contracted (such as an attorney, auditor, or collection agent); those serving on an official committee, such as a disciplinary or grievance committee; or those assisting another UW-Whitewater school official in performing his or her tasks.
  5. "SSN Data" is the Social Security Number or equivalent government identification number for individuals including but not limited to: Students, Employees, parents, cosigners, guardians, attorneys-in-fact, vendors, and sub-contractors.
  6. "Legitimate Educational or Business Need" means the school official may have the need to know and the right to access and use SSN Data within the context of his/her professionally assigned University responsibilities and the information must be used within the context of official University business.
  7. "Data Owner" is defined in the UW-Whitewater Data Custodianship Policy as follows:
    The University classifies data owners as those responsible for:
    • Knowing and understanding the data for which they are responsible;
    • Evaluating and ensuring the data has been appropriately classified based on state and federal law, regulatory agency requirements and any contractual obligations, and University regulations;
    • Establishing access and utilization criteria;
    • Exercising due care in setting standards for protection of data;
    • Monitoring compliance and enforcing policy;
    • Implement practices to assure data accuracy.

    SSN Data Owner responsibilities are shared among the directors of the primary business units that administer the university-approved activities that collect and store SSN Data.  The units include Undergraduate and Graduate Admissions, Financial Aid, Registrar’s Office, Financial Services, Alumni Relations, and Human Resources.

    The Data Owners for SSN Data are:

    Data Owner Primary Data Sets
    Director of Admissions Applicant, Admitted Student, Parent, and Guardian Information
    Registrar Enrolled Student Information
    Dean of the School of Graduate Studies Graduate Applicant, Admitted, and Enrolled Student Information
    Foundation Manager Alumni Information
    Director of Financial Aid Financial Records for Prospective, Admitted, and  Enrolled Students, Parents, and Alumni
    Bursar
    Director of Human Resources Employee Information
  8. "Data User" is defined in the UW-Whitewater Data Custodianship Policy as follows:
    The University classifies data users as those responsible for:
    • Following this policy and information access procedures established by data owners;
    • Access only the information for which they are authorized;
    • Report suspected or actual violations of policies and standards to management;
    • Exercising due care in the use of confidential and restricted data.

D. Rules of Conduct

  1. Access to and Collection of SSN Data
    1. General
      1. Employees should read and agree to all aspects of this policy before they are allowed access to SSN Data.  Both the employees and their supervisors are responsible for ensuring compliance with this requirement.
    2. Access to SSN Data
      1. Access to SSN Data is not permitted unless authorization for this access has been granted in writing by the appropriate Data Owner.
      2. When access is authorized, SSN Data should only be obtained directly from WINS or from the office of the Data Owner, unless a collection exception, as defined below, has also been authorized.
      3. Requests for access to SSN Data will be considered on a case-by-case basis and only when the requester’s professional responsibilities require regular (e.g., daily) access to SSN Data and the person has no reasonable alternative for obtaining the data.  These requests must be made in writing and must be submitted in advance to the appropriate Data Owner, with written justification demonstrating a Legitimate Educational or Business Need for obtaining the data.  Requests must include an outline of how the data will be stored, transmitted, used, and expunged after use.  Requests must be signed by the individual in charge of the office requesting the data and will serve as a request for the transfer of responsibility for the protection of the sensitive data.
    3. Collection of SSN Data
      1. SSN Data should not be collected by any Student, Employee, or School Official outside of offices of formally designated Data Owners.
      2. In exceptional cases, a Data Owner may permit collection of SSN Data by Employees or School Officials outside of the Data Owner’s office.  Requests for this authorization must be made in writing and must be submitted in advance to the appropriate Data Owner.  Requests must demonstrate a Legitimate Educational or Business Need for obtaining the data from a source other than the Data Owner or WINS. Data collection requests must be made in addition to the access request defined above.  All collection requests must include signed approval from the supervising Dean or Division Head.
    4. Authorization Period and Process
      1. Approved requests for access to or collection of SSN Data will be time limited.  Continuation beyond the approved period will require submission and approval of a new request.
      2. Data Owners will provide copies of all approved requests for access to or collection of SSN Data to the office of the Chief Information Officer (CIO) for campus.
    5. Special requirements for Third Parties
      1. Contractual arrangements with third parties requiring the sharing or disclosing of SSN Data must be in writing.  The written agreement must specify the confidential information that will be shared, how that information will be used, and the services the third party will be performing on behalf of the University.  The confidential information shall be used only for the purposes agreed to in writing between the University and the third party. The third party shall not share or disclose the information with any other third party outside of the purposes stated in the written agreement unless written consent from the appropriate University authority is obtained and such redisclosure is permissible under relevant laws and regulations (e.g. FERPA). The third party will be required to indemnify and hold the University harmless for any loss, cost, damage or expense suffered by the University as a direct result of the third party’s failure to comply with the requirement not to release information, except for the sole purpose(s) stated in the written agreement. The third party shall agree to either destroy this information in a manner that completely protects the confidentiality of the information or return the information to the University upon the expiration of the agreement.
  2. Provision of SSN Data
    1. General
      1. Employees and School Officials shall not disclose SSN Data to unauthorized persons or entities.
      2. SSN Data shall not be included in any document, communication, or report unless inclusion of this data has been explicitly requested and authorized by the appropriate Data Owner.
    2. Data Owners
      1. SSN Data Owners should protect the privacy and confidentiality of SSN Data. 
      2. SSN Data Owners should ensure that SSN Data are not divulged to other units or school officials unless a Legitimate Educational or Business Need requiring the use of SSN Data can be demonstrated.  In such cases, the Data Owner should stipulate the strict conditions and manner under which such data is to be used and handled.
  3. Transmission of SSN Data
    1. Unencrypted SSN Data should not be transmitted via email or off-campus network connections (i.e. the internet).
  4. Storage and Maintenance of SSN Data
    1. Location
      1. The only authorized locations for storage of SSN Data are on University provided access-controlled network drives and in iCIT managed databases.
      2. SSN Data may not be stored on local computers, laptops, removable media, or USB drives.
    2. Encryption
      1. SSN Data should be encrypted or offered similar protection when stored.
    3. Maintenance 
      1. Employees who are responsible for the maintenance of records that contain SSN Data should observe all administrative, technical, and physical safeguards established by the University in order to protect the confidentiality of such records.
  5. Use of SSN Data
    1. Units are encouraged to inventory the SSN Data in their areas and to keep this inventory updated.
    2. Use of SSN Data is to be avoided whenever a reasonable alternative is available.
    3. Student/Employee ID Number is the preferred unique identifier for students and employees.
  6. Disposal of SSN Data
    1. SSN Data stored outside of WINS should be expunged when a Legitimate Educational or Business Need for these data no longer exists.
    2. Business records being retained to fulfill public record retention obligations should be redacted to eliminate SSN Data when a Legitimate Educational or Business Need for these data no longer exists.

E.  Unit Level Context

Each entity working with SSN Data is encouraged to further refine, clarify, and document how SSN Data are to be used in their particular environment in support of these policies and guidelines.

F.  Unauthorized Disclosure

Employees and School Officials are required to immediately report any unauthorized disclosure of SSN Data to their Dean/Division Head and to iCIT’s Information Security Officer.  The Security Officer will assess the extent of the disclosure and will consult as needed with university administration and legal counsel to determine the appropriate response.In the event that compelling evidence of unauthorized acquisition of SSN Data is found, the University will provide notice as required by 2005 Wisconsin Act 138.

Excerpts of 2005 Wisconsin Act 138

(2)NOTICE REQUIRED. (a) If an entity whose principal place of business is located in this state or an entity that maintains or licenses personal information in this state knows that personal information in the entity’s possession has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each subject of the personal information. The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the subject of the personal information.

If, as the result of a single incident, an entity is required under par. (a) or (b) to notify 1,000 or more individuals that personal information pertaining to the individuals has been acquired, the entity shall without unreasonable delay notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC 1681a(p), of the timing, distribution, and content of the notices sent to the individuals.

G.  Unauthorized Use

Employees and School Officials should report any known or suspected use of SSN Data that has not been authorized in accordance with this policy to their supervisors and to iCIT’s Information Security Officer.  The Security Officer will notify the Data Owners of the issue and will support the efforts of the involved parties to achieve compliance with this policy.