User login

Close
 

Social Security Number (SSN) and Unique Person Number (UPN) Usage

Effective Date: September 10, 2007 

Policy Statement

The University's policy is to protect Social Security Number (SSN) or equivalent data from unauthorized or unnecessary disclosure.

Reason(s) for the Policy

Federal and state statues require handling SSNs in the most confidential manner.  The distinctiveness of the SSN as an individual identifier makes it increasingly vulnerable to exploitation.  Identity theft and the compromise of personal information are a growing concern for many institutions.  The purposes of this policy are to:

  • generate broad awareness of the confidential nature of the SSN;
  • provide consistent and clear guidelines for acquisition and use of SSN data;
  • eliminate unnecessary storage and use of SSNs in University documentation, practices and systems;
  • eliminate the use of the SSN as the primary identifier at the University; and
  • define the use of Unique Person Number (UPN) as the new alternate individual primary identifier in University systems and practices.  

Primary Policy to Which This Policy Responds

This policy responds to all applicable federal and state statutes pertaining to use of Social Security Numbers.  These statutes include, but are not limited to, the New York State Law, the New York State Information Security Breach and Notification Act, the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Gramm-Leach-Bliley Act (GLBA).

Responsible University Officer and Office

Compliance Responsibility:  Office of the General Counsel

Policy Maintenance and Technical Support: Columbia University Information Technology (CUIT) and Security Office

Revision History

This policy is established in June 2007 (Initial Draft).

Who is Governed by This Policy

This policy applies to all individuals who access, use, or control information technology and/or non-electronic records containing SSN information. The individuals covered include, but are not limited to, faculty, staff, students, and those working on behalf of the University.

Who Should Know This Policy

All individuals listed above, particularly the custodians of SSN data. 

Exclusions & Special Situations

None.

Policy Text

Click here for full policy text