UNC Charlotte
Text Only Calendars Search 49er Express
 
Current Students Future Students Faculty & Staff Family & Visitors Alumni & Friends
Home  >  Office of General Counsel > Policy Statement Series > Social Security Number Regulations
Initially approved March 21, 2005


Regulations on the Use of Social Security Numbers

Supplemental to Policy Statement #102, Data and Information Security


With the implementation of the Banner system, UNC Charlotte will start the migration from using social security numbers (SSNs) as primary personal identification numbers for students and employees to an alternate ID.

Even after the Banner system is in effect, there will still be legitimate uses of the SSN on campus. Therefore, University employees who have access to SSNs must comply with the following regulations both prior to and after the Banner system is implemented:

Employees

  1. Supervisors must limit access to records containing SSNs to only those employees who need to use the numbers for the performance of their duties as University employees.
  2. Supervisors of temporary employees must limit the level of access that those employees have to SSNs and must provide appropriate training regarding the sensitivity of SSNs to those temporary employees who are required to have access to SSNs.
  3. All persons who have access to HRS, SIS, FRS or other electronic systems containing SSNs are required to sign a Confidentiality Agreement (see attached). Those departments and units that have access to HRS, SIS, FRS or other electronic systems containing SSNs are subject to internal audit.

Forms, Documents, and Records

  1. Any forms that require a personal identifier must label that field as such and not as “social security number.” Exempt are forms on which the SSN must be used under applicable federal or state law.
  2. SSNs may not be displayed on materials or documents that are widely seen by others, such as identification cards, badges, time cards, employee rosters, bulletin board postings, grade postings, web sites, and other materials.
  3. Documents that include SSNs must be stored in a secure place. When possible, records containing SSNs, including back-ups, should be protected during storage by encrypting the numbers in electronic records or storing records in other media in locked cabinets.
  4. When possible, printed reports and other documents should not list SSNs; if SSNs need to be included in printed documents, such documents should be accessible only to individuals that require the information for the performance of their duties.
  5. Printed documents that contain SSNs must be securely destroyed when they are no longer needed, or upon the expiration of their retention based on the applicable University records retention schedule.

Computers and the Internet

  1. Electronic records containing SSNs may be stored only on University-owned electronic devices, and such devices must be secured against unauthorized access. Computer systems requiring the storage of SSNs should store them in a separate – if possible encrypted and password protected – data file.
  2. Persons with access to HRS, SIS, FRS, or other electronic systems containing SSNs must take reasonable care to minimize the time that computer screens display SSNs and to shield computer screens displaying SSNs from those without a legitimate work-related reason to access the SSNs. Computer screens displaying SSNs should never be left unattended.
  3. Information containing SSNs, or any part thereof (e.g., the last four digits of the SSN), may not be published on any University web site.
  4. Employees may not share passwords to computer systems that provide access to screens displaying SSNs.
  5. No University employee may require individuals to use SSNs as passwords or codes for access to Internet web sites or other services.
  6. When computers are sent to surplus or transferred to another department, data containing SSNs must be destroyed (see Policy Statement #44, “Surplus Property Procedures,” and/or the ITS Procedures for Transferring a Computer to Another Person).
  7. Users who borrow a University laptop computer for temporary use should ensure that any confidential information, including SSNs, that they may have stored on the computer’s hard drive in the course of such temporary use is removed before returning the computer to the University.

Mail and Email

  1. No University employee may require individuals to send their SSNs over the Internet or by email for a University-related purpose, unless the connection is secure or the SSN is encrypted.
  2. Printed documents containing SSNs should not be sent through the mail, except on applications or on forms when required by law. When sending applications or documents required by law to include SSNs through the mail, the SSN should not be revealed by an envelope window. Where possible, the SSN field on forms or applications should be left blank, and the individual filling out the form should insert the SSN before returning the form or application to the University.

Third Party Vendors

SSNs should not be disclosed to third parties external to the University except where required or permitted by law. When disclosing SSNs to third parties as required or permitted by law, such disclosure should be conditioned upon a written agreement that includes terms that:

    1. Protect the confidentiality of the SSNs and prohibit the third parties from re-disclosing SSNs, except as required by law;
    2. Require such third parties to use effective security controls on record systems containing SSNs;
    3. Hold such third parties accountable for compliance with the terms imposed, including monitoring or auditing their practices; and
    4. Indemnify the University against any claims related to the third party’s disclosure of the SSNs in violation of the terms of the agreement.

Inappropriate Disclosure

If a University employee discovers that SSNs have been disclosed inappropriately, and the individuals whose SSNs were disclosed are put at risk of identity theft or other harm, the employee must immediately notify ITS, which will work with the Office of General Counsel to ensure that those individuals are notified promptly.
Violation of University Policy

All employees who have access to SSNs should note that inappropriate use or disclosure of SSNs may constitute violation of University policy, including:

Violation of any such policies may result in appropriate disciplinary actions.


Confidentiality Agreement

[Click here for printable form]


Employee Name: _____________________________________________

I understand that my access to the confidential data, information, and records (hereinafter “Confidential Information”) maintained in UNC Charlotte’s electronic records systems (hereinafter “Records System(s)”) is limited to my need to know for the purpose of performing my duties as a University faculty or staff member.

Confidential Information includes, but is not limited to, Social Security Numbers, confidential personnel records (see Policy Statement #59, “Personnel Records”), and student education records (see Policy Statement #69, “Student Records”).

By my signature below, I acknowledge that I have been advised of, understand, and agree to the following terms and conditions of my access to the Confidential Information contained in any System.

  1. I will maintain my personal Records System password in confidence. I will not disclose it to any other person or authorize others to use it.
  2. I will use my authorized access to Records System information only in the performance of the responsibilities of my position as a University employee.
  3. I will comply with all controls established by the division of Business Affairs and Information Technology Services for the use of records maintained within a Records System.
  4. I will avoid disclosure of Confidential Information to unauthorized persons without the appropriate consent or permission or except as permitted under applicable University policy and/or Federal or State law. I understand and agree that my obligation to avoid such disclosure will continue even after I leave the employment of UNC Charlotte.
  5. I will exercise care to protect sensitive information against accidental or unauthorized access, modifications, disclosures, or destruction.
  6. When discussing Confidential Information with other employees in the course of my work, I will exercise care to keep the conversation private and not overheard by others who are not authorized to have access to such Confidential Information.
  7. I understand that any violation of this Agreement or University Policy Statement #102, “Data and Information Security,” will result in immediate termination of my access to Records Systems and may result in disciplinary action, including dismissal from employment, as well as criminal penalties or civil liability.

I have been given the opportunity to review Policy Statement #102 and the Regulations supplemental to Policy Statement #102, and any questions I have had about it have been answered to my satisfaction.


Employee Signature: _________________________________________ Date: _______________

Employee Name (please print): _________________________ UNC Charlotte ID:_______________

Department: ________________________________________________ Phone: _____________

Send To:

SMC – Banner
ITS
Atkins Library



(c) UNC Charlotte Copyright | Privacy Statement Page Maintained By: Office of General Counsel

UNC Charlotte Home | Text Only | A-Z Index | Calendars | Search | 49er Express | Quicklinks