Policy on the Use, Collection, and Retention of Social Security Numbers by Georgetown University

In Support of UIS.401 Data Security Policies

Statement

Social Security Numbers (SSNs) may not be captured, retained, communicated, transmitted, displayed or printed, in whole or in part, except where required by law, or permitted in accordance with the standards outlined in this policy. This policy applies to all use, collection, and retention of SSNs, whether maintained, used, or displayed wholly or in part, and in any data format, including but not limited to oral or written words, screen display, electronic transmission, stored media, printed material, facsimile, or other medium as determined. In all cases, University approval must be obtained for the use, collection, and retention of SSNs.

All approved uses of SSNs must be consistent with the University’s established data security principles and ensure the secure use, collection, and storage of SSNs.

The University will take steps necessary and appropriate to comply with federal and other applicable laws regarding the use and retention of SSNs.

Applicability

This policy applies to all students, faculty, staff, contractors, consultants, temporary employees, guests, volunteers, and other members of the University community, including those affiliated with third parties, who use Georgetown University information resources, particularly including, but not limited to, those who are entrusted with highly sensitive data and data protected by law or other Georgetown University policies.

Guiding Principles and Purpose

The University will take steps necessary and appropriate to guard the confidentiality of SSNs and to eliminate or minimize its exposure to liability and other harms arising from unauthorized access to, or data breaches involving, SSNs. No use of the SSN, or any part of the SSN, is permitted except as authorized under this Policy. SSNs are highly confidential information and must be handled in accordance with applicable law pursuant to this policy.

This policy requires that the University community is compliant in eliminating the use of SSNs as the primary record key in Georgetown University’s systems, except in the limited instances where the use of SSNs is required by law and/or specifically permitted by the University.

SSNs, or any part of the SSN, are NOT permitted:

  1. As the primary record key, or sort key, in any University database or other business system or operation
  2. As an identifier among University departments or with external University affiliates

A list of approved uses of SSNs shall be maintained by the University Information Security Office (UISO), which will be updated as necessary to reflect the current state of University approved uses and applicable law relating to the use, collection, and retention of SSNs.

Administration and Implementation

Any use, collection, or retention of SSNs, by any member of the university community, must be approved by the University Information Security Office (UISO).

The Georgetown University ID, the nine digit number beginning with the numeral “8” listed on each person’s GU identification card, may be used to identify, track, and provide services to individuals for all University electronic and paper data systems and processes.

Where Georgetown University faculty and staff members are submitting documents related to employment and other records, the social security number may be a requirement. Human Resources processes and regulations require that all University employees and people managers are compliant with the Social Security Number Requirement.

Georgetown University Social Security Number Requirement:  “Employees must provide SSN to Human Resources within 60 days of hire as a condition of continued employment eligibility and requirement of applicable state and federal tax law”.

Authorized Collection and Retention of Social Security Numbers

University Organization
Authorized Purpose
Authorizing Party
Office of Human Resources Faculty, Staff, and AAP onboarding, payroll, and tax management Anthony Kinslow

VP & Chief Human Resources Officer
Office of Faculty and Staff Benefits Faculty, Staff, AAP, Retiree and eligible participant benefits administration and management Charles DeSantis

AVP for Benefits, Payroll and Wellness and Chief Benefits Officer
Office of the Chief Financial Officer | Tax Department Nonresident Alien (NRA) tax withholding and associated guidance for University compliance David Green

Chief Operating Officer
Clinical Research/Human Subject Research* Limited use and retention as required for approved human subject research studies Shaunagh Browning

Senior Director, Office of Human Subject Protections

Responsibilities

Employees:

  • Participate in required training on the handling of sensitive data
  • Ensure their own compliance with this policy and all procedures developed by their business units to implement this policy.

Heads of Academic Departments, Managers and Supervisors:

  • Participate in required training on the handling of sensitive data.
  • Supervise the access rights granted by the Data Stewards
  • Ensure that their employees are in compliance with this policy
  • Complete the necessary training to work with SSNs.

Business Units:

  • Develop, document, and implement applicable procedures to effectuate this policy.
  • Obtain approval of these procedures by the UISO, who shall consult as necessary with University Counsel.

Data Stewards:

  • Develop and gain approval for granting access rights, policies, and procedures, from the UISO and, where required by UISO, University Counsel.
  • Grant access to records containing SSNs only to those individuals requiring access as determined by job function.
  • Work with the UISO on a continuing basis to proactively review these grants of access, policies, and procedures to ensure compliance with this policy, as well as applicable law.

University Information Services Office:

  • Together with the Office of University Counsel, maintain oversight and approval of all University use, collection, and retention of SSNs.
  • Approve the procedures developed by the Business Units and Data Stewards to ensure compliance with this policy.
  • Work with Data Stewards to proactively review grants of access, policies, and procedures to ensure compliance with this policy, as well as applicable law.
  • Maintain and update a list of approved uses of SSNs, which will be updated as necessary to reflect the current state of University approved uses and applicable law relating to the use, collection, and retention of SSNs.
  • Secure University information services resources and operations, including the oversight of all University use, collection, and retention of SSNs.

Enforcement

Pursuant to the Georgetown University Human Resources Confidential Information Policy, employees who violate this Policy and its associated procedures may be subject to disciplinary action, up to and including dismissal. Unauthorized access or disclosure of legally protected information may result in civil liability or criminal prosecution. When appropriate, the University may restrict a violator’s access to University resources pending further investigation of a possible violation of this policy.

Definitions

Data Stewards: Data Stewards are individuals recognized by the University to have primary responsibility for protected or sensitive information resources including, but not limited to, financial data and student records. Their responsibilities include establishing policies and procedures to ensure the secure creation, retention, distribution, and disposal of information, as well as the assignment of classifications to regulated PII, and determining who is authorized to access the information under their stewardship.

Georgetown University Information Security Website: Located at http://security.georgetown.edu, the website where procedures and processes related to this, and other information security-oriented policies, may be found.

Georgetown University ID (GUID): the nine digit number beginning with the numeral “8” listed on each person’s Georgetown University identity card.

Primary Record Key: The major index for a database or file.

Social Security Number (SSN): a 9-digit number issued by the federal government, through the Social Security Administration, primarily used to track individuals for taxation purposes. SSN may be interpreted to include Taxpayer Identity Number (TIN).

Resources

Georgetown University Human Resources Policy Manual

Georgetown University Information Security Policy

Georgetown University Record Retention Policy

Georgetown University Acceptable Use Policy

Approval

Original 2018

Updated 2023

Approved by Micah Czigan, CISO

Approved by Douglas Little, Interim CIO and Vice President

Review Cycle

This policy will be reviewed and updated as necessary to reflect changes in institutional policy, relevant law or regulation.