Effective Date: October, 2013
Columbia University is committed to protecting Social Security Numbers (SSNs) of faculty, staff, students and other individuals associated with the University from unauthorized or unnecessary disclosure. Because the distinctiveness of the SSN as an individual identifier makes SSNs particularly vulnerable to exploitation, federal and state law and regulations require special protections for non-disclosure of SSNs in addition to those afforded Sensitive Data under the Information Security Policies (as such terms are defined in the Columbia University Information Security Charter (the “Charter [http://policylibrary.columbia.edu/information-security-charter]. The purposes of this Policy are to provide consistent and clear guidelines for the acquisition and use of SSNs and eliminate unnecessary storage and use of SSNs in University Information Resources (as defined in the Charter).
A PDF of this policy is also available to the right.
Capitalized terms used herein without definition are defined
in the Charter.
II. Policy History
The effective date of this Policy is November 1, 2013. This Policy replaces the University’s Social Security Number (SSN) and Unique Person Number Usage (UPN) Policy, dated September 10, 2007.
III. Policy Text
The faculty, staff, students and other individuals associated with the University must ensure that the following protections are implemented with respect to the use of SSNs:
IV. Cross References to Related Policies
The Information Security Policies referred to in this Policy are listed in Appendix B hereto.
EXAMPLES OF APPROPRIATE USAGE OF SSNs
A SSN is required as a taxpayer ID for all tax information reported to the IRS, including wage and withholding data for full-time and part-time faculty, staff and students, for honoraria provided to guests and for individuals working for the University as independent contractors.
A SSN is necessary to obtain financial information and to identify and confirm the level of financial aid assistance.
Human Resource Services
The Immigration Reform and Control Act of 1986 (IRCA) requires the use of an SSN for I-9 forms, and certain benefit providers, such as health insurance companies, may require an SSN for verification of eligibility and coordination of benefits. Therefore, in addition to the tax reporting reasons, SSNs will need to be collected from all new employees in the new hire process, and may be requested and used for certain human resource services functions when necessary.
Federal and state agencies often rely upon SSNs as the primary identifier for law enforcement and criminal information purposes. In the event such agencies request SSN information using proper procedures, and the University has such information, it will be provided following review and approval by the Office of the General Counsel.
The collection and use of SSNs is often necessary for the conduct of research activities (e.g., epidemiological studies collecting mortality statistics). The Columbia University Institutional Review Boards
must approve any collection of SSNs.
Health Records and Medical Billing
SSNs are used to identify patients’ health records and for purposes of medical billing.
Student Information Systems
SSNs are collected from all students attending the University and maintained in the University’s Student Information System.
Information Security Charter
Registration and Protection of Endpoints Policy