Statement

Social Security Numbers (SSNs) may not be captured, retained, communicated, transmitted, displayed or printed, in whole or in part, except where required by law, or permitted in accordance with the standards outlined in this policy. This policy applies to all use, collection, and retention of SSNs, whether maintained, used, or displayed wholly or in part, and in any data format, including but not limited to oral or written words, screen display, electronic transmission, stored media, printed material, facsimile, or other medium as determined. In all cases, University approval must be obtained for the use, collection, and retention of SSNs.

All approved uses of SSNs must be consistent with the University’s established data security principles and ensure the secure use, collection, and storage of SSNs.

The University will take steps necessary and appropriate to comply with federal and other applicable laws regarding the use and retention of SSNs.

Applicability

This policy applies to all students, faculty, staff, contractors, consultants, temporary employees, guests, volunteers, and other members of the University community, including those affiliated with third parties, who use Georgetown University information resources, particularly including, but not limited to, those who are entrusted with highly sensitive data and data protected by law or other Georgetown University policies.

Guiding Principles and Purpose

The University will take steps necessary and appropriate to guard the confidentiality of SSNs and to eliminate or minimize its exposure to liability and other harms arising from unauthorized access to, or data breaches involving, SSNs. No use of the SSN, or any part of the SSN, is permitted except as authorized under this Policy. SSNs are highly confidential information and must be handled in accordance with applicable law pursuant to this policy.

This policy may require significant changes to some of Georgetown’s business procedures. It requires the University community to become involved in the process of eliminating the use of SSNs as the primary record key in Georgetown University’s systems. The goal upon completion of this process is to eliminate SSNs from all University computing and storage devices except in the limited instances where the use of SSNs is required by law and/or specifically permitted by the University.

SSNs, or any part of the SSN, are NOT permitted:

  1. As the primary record key, or sort key, in any University database or other business system or operation
  2. As an identifier among University departments or with external University affiliates

A list of approved uses of SSNs shall be maintained by the University Information Security Office (UISO), which will be updated as necessary to reflect the current state of University approved uses and applicable law relating to the use, collection, and retention of SSNs.

Administration and Implementation

Any use, collection, or retention of SSNs, by any member of the university community, must be approved by the University Information Security Office (UISO)

The Georgetown University ID, the nine digit number beginning with the numeral “8” listed on each person’s GU identification card, may be used to identify, track, and provide services to individuals for all University electronic and paper data systems and processes.

Responsibilities

Employees:

  • Participate in required training on the handling of sensitive data
  • Ensure their own compliance with this policy and all procedures developed by their business units to implement this policy.

Heads of Academic Departments, Managers and Supervisors:

  • Participate in required training on the handling of sensitive data.
  • Supervise the access rights granted by the Data Stewards
  • Ensure that their employees are in compliance with this policy
  • Complete the necessary training to work with SSNs.

Business Units:

  • Develop, document, and implement applicable procedures to effectuate this policy.
  • Obtain approval of these procedures by the UISO, who shall consult as necessary with University Counsel.

Data Stewards:

  • Develop and gain approval for granting access rights, policies, and procedures, from the UISO and, where required by UISO, University Counsel.
  • Grant access to records containing SSNs only to those individuals requiring access as determined by job function.
  • Work with the UISO on a continuing basis to proactively review these grants of access, policies, and procedures to ensure compliance with this policy, as well as applicable law.

University Information Services Office:

  • Together with the Office of University Counsel, maintain oversight and approval of all University use, collection, and retention of SSNs.
  • Approve the procedures developed by the Business Units and Data Stewards to ensure compliance with this policy.
  • Work with Data Stewards to proactively review grants of access, policies, and procedures to ensure compliance with this policy, as well as applicable law.
  • Maintain and update a list of approved uses of SSNs, which will be updated as necessary to reflect the current state of University approved uses and applicable law relating to the use, collection, and retention of SSNs.
  • Secure University information services resources and operations, including the oversight of all University use, collection, and retention of SSNs.

Enforcement

Pursuant to the Georgetown University Human Resources Confidential Information Policy, employees who violate this Policy and its associated procedures may be subject to disciplinary action, up to and including dismissal. Unauthorized access or disclosure of legally protected information may result in civil liability or criminal prosecution. When appropriate, the University may restrict a violator’s access to University resources pending further investigation of a possible violation of this policy.

Definitions

Data Stewards: Data Stewards are individuals recognized by the University to have primary responsibility for protected or sensitive information resources including, but not limited to, financial data and student records. Their responsibilities include establishing policies and procedures to ensure the secure creation, retention, distribution, and disposal of information, as well as the assignment of classifications to regulated PII, and determining who is authorized to access the information under their stewardship.

Georgetown University Information Security Website: Located at http://security.georgetown.edu, the website where procedures and processes related to this, and other information security-oriented policies, may be found.

Georgetown University ID (GUID): the nine digit number beginning with the numeral “8” listed on each person’s Georgetown University identity card.

Primary Record Key: The major index for a database or file.

Social Security Number (SSN): a 9-digit number issued by the federal government, through the Social Security Administration, primarily used to track individuals for taxation purposes. SSN may be interpreted to include Taxpayer Identity Number (TIN).

Resources

Portions of this policy are adapted from the Northwestern University Information Security Policy and Standards: Secure Handling of Social Security Numbers and are used with permission from David Kovarik, Director, Northwestern University, Information Technology, Information & Systems Security/Compliance, on March 25, 2008. The policy is available at http://www.it.northwestern.edu/policies/SSN_policy.html.

The federal laws authorizing the collection and use of SSNs by government entities are detailed in Appendix I of the 2005 Statement Before the New York State Assembly Committee on Consumer Affairs and Protection and Committee on Governmental Operations, of Barbara D. Bovbjerg, Director, Education, Workforce, and Income Security Issues. The full text of the statement and its appendices is available at www.gao.gov/new.items/d051016t.pdf.

Georgetown University HIPAA Policy
Georgetown University Information Security Policy

Georgetown University Record Retention Policy

Georgetown University Human Resources Confidential Information Policy
Georgetown University Acceptable Use Policy 

Approval

Approved by Judd Nicholson, CIO, September 2018 

Review Cycle

This policy will be reviewed and updated as needed, but at least annually, unless changes in institutional policy or relevant law or regulation dictate otherwise.