Presentation on theme: "Protecting the Confidentiality of Social Security Numbers Business Procedures Memorandum 66 Revised November 1, 2006 The University of Texas System."— Presentation transcript:
Protecting the Confidentiality of Social Security Numbers Business Procedures Memorandum 66 Revised November 1, 2006 The University of Texas System
Protecting the Confidentiality of SSNs 2 Purpose The purpose of this training is to: Provide general information, as required by BPM 66, about the confidentiality of social security numbers (SSNs) and the provisions of Business Procedures Memorandum 66 (BPM 66), andBusiness Procedures Memorandum 66 (BPM 66) Highlight concerns regarding the use and protection of SSNs in light of recent events.
Protecting the Confidentiality of SSNs 3 Learning Objectives Key requirements of BPM 66 Actions you must take to comply with BPM 66 What this all means to you in your daily work Review provisions of the Security Plan for Safeguarding SSNs Introduce resources to go to for more information
Protecting the Confidentiality of SSNs 4 Key Requirements of BPM 66 Increase awareness of the confidential nature of SSNs. Reduce reliance on SSNs for identification purposes. Establish a consistent approach toward SSNs throughout UT System. Ensure that SSNs are handled in a confidential manner.
Protecting the Confidentiality of SSNs 5 Why all the concern? Numerous federal and state laws govern disclosure and use of SSNs. Key provisions of the laws are summarized on the SSN web site. Increased reliance on the Internet and computers has greatly increased the risk of identity theft involving SSNs. Recent increases in stolen computer equipment, computer hackers, and scams, all involving personal data that include SSNs. Media scrutiny of governmental agencies and public demands for assurance that safeguards are in place.
Protecting the Confidentiality of SSNs 6 Here’s why… Identity Theft Concerns - Data Breaches in 2006 University of Washington Veterans’ Affairs Federal Aviation Administration City of San Diego University of Northern Iowa State of Rhode Island Department of Transportation University of Texas at Austin U.S. Department of Education State of Georgia Georgetown University Ohio University Texas Guaranteed Student LoanUniversity of Minnesota
Protecting the Confidentiality of SSNs 7 Here’s why… “Possession of someone else's Social Security Number is key to laying the groundwork to take over someone's identity and obtain a driver's license, loans, credit cards, cars, and merchandise. It is also key to taking over an individual's existing account and wiring money from the account, charging expenses to an existing credit line, writing checks on the account or simply withdrawing money.” Testimony of Grant D. Ashley, Assistant Director, Criminal Investigation Division, FBI, before the House Ways and Means Committee, Subcommittee on Social Security, September 19, 2002
Protecting the Confidentiality of SSNs 8 What does BPM 66 require? BPM 66 contains procedures to: reduce the use and collection of SSNs, inform individuals when SSNs are collected, reduce the public display of SSNs, control access to SSNs, protect SSNs, and establish accountability.
Protecting the Confidentiality of SSNs 9 What must I do to comply? Except when a UT institution is legally required to collect an SSN, an individual cannot be required to disclose his or her SSN or be denied service for refusing to disclose the SSN. The notice required by the Federal Privacy Act must be given each time a UT institution requests disclosure of an SSN, except when the institution is already in possession of an individual’s SSN and requests it for identification purposes (amendment to BPM 66, Section 3.1.3, approved January 2006).
Protecting the Confidentiality of SSNs 10 What must I do to comply? Samples of approved notices are in Appendix 3 to the BPM.Appendix 3 The SSN Coordinator can also assist you in preparing a notice for your particular needs. In addition to the Federal Privacy Act notice, State law requires an additional notice whenever we collect SSNs or other personal information by means of a paper or an electronic form. Your supervisor or the SSN Coordinator can help with formulating this notice, too.
Protecting the Confidentiality of SSNs 11 What must I do to comply? SSNs are not to be displayed on documents, computer screens, PDAs, etc., that can be seen by the general public (e.g., time cards, rosters, etc.) unless required by law. Mailed materials containing SSNs should be designed so that SSNs do not show in the envelope window. SSNs are not to be sent over the Internet or via email unless encrypted or otherwise secured.
Protecting the Confidentiality of SSNs 12 What must I do to comply? Limit access to records containing SSNs to those employees who need access for the performance of job duties. Records with SSNs should not be stored on computers or other electronic devices that are not secured against unauthorized access. SSNs should be shared only with authorized third parties. A written confidentiality agreement should be used that requires the third party to use adequate safeguards to protect records containing SSNs.
Protecting the Confidentiality of SSNs 13 What must I do to comply? Records and media (disks, hard drives, etc.) containing SSNs must be discarded in a way that protects the confidentiality of the SSN. For example, paper records should be shredded and hard drives should be reformatted. All new systems must comply with the standards contained in § 3.5.4 of BPM 66 (SSNs may not be primary key to a database, SSNs not to be displayed). Before acquiring or developing new systems, contact your Information Technology Department and the SSN Coordinator.
Protecting the Confidentiality of SSNs 14 What must I do to comply? Each employee must comply with the Rules of Conduct that implement BPM 66. Failure to do so may result in disciplinary action, including discharge or dismissal. Each employee must promptly report inappropriate or suspected disclosures of SSNs to his or her supervisor, who is to report such disclosures to the SSN Coordinator. If you have any questions about whether a specific use of SSNs is necessary or appropriate, ask the SSN Coordinator.
Protecting the Confidentiality of SSNs 15 Beginning on September 1, 2007 The use of the SSN as a primary identifier must be discontinued unless required or permitted by law. A unique identifier must be assigned to each individual.
Protecting the Confidentiality of SSNs 16 What does all of this mean to you in your daily work? If you need access to SSNs to do your job, you will have that access. If you use SSNs in your work, ask yourself: “Why do I need the SSN?”
Protecting the Confidentiality of SSNs 17 What does all of this mean to you in your daily work? If you request that an individual disclose his or her SSN, remember that you must provide the Federal Privacy Act notice. You must give that notice regardless of whether you are assisting someone in person or over the phone or whether the person is completing a paper or electronic form. NOTE: A subsequent request for production of a social security number for identification purposes does not require the provision of another notice.
Protecting the Confidentiality of SSNs 18 What does all of this mean to you in your daily work? If an individual refuses to give you his or her SSN, remember that you cannot refuse to provide the requested services unless the SSN is required by law. Protect SSNs on paper documents and computer systems. Take care to be sure that such records are properly secured and/or discarded. Be sure to report non-compliance to your supervisor or the SSN Coordinator immediately.
Protecting the Confidentiality of SSNs 19 What does all of this mean to you in your daily work? Follow these rules: Do not request an SSN unless it is necessary and relevant to your job duties. Do not disclose SSNs to unauthorized persons or entities. Do not use another person’s SSN to your own personal advantage. Observe all administrative, physical, and technical safeguards.
Protecting the Confidentiality of SSNs 20 Security Plan for Safeguarding SSNs The Institutional Security Plan for Safeguarding Social Security Numbers was established and implemented pursuant to § 3.5.1 of BPM 66. The Security Plan was intended to provide guidance to all employees to protect against reasonably anticipated threats to the security and integrity of SSNs and anticipated uses or disclosures that are not required or permitted by law.
Protecting the Confidentiality of SSNs 21 Security Plan for Safeguarding SSNs The safeguards in the Security Plan refer to the UT institution’s policies and procedures currently in place to comply with federal and state regulations governing the protection of sensitive and confidential information in electronic form.
Protecting the Confidentiality of SSNs 22 Security Plan Provisions Each institutional office shall control its employees’ access to SSNs by: Limiting access to records containing SSNs to those employees who need access to such information for the performance of their job responsibilities; and Working with the Human Resources Department and the Information Technology Department to make sure access to records containing SSNs is terminated when employment ends or when an employee’s responsibilities no longer require access to SSNs.
Protecting the Confidentiality of SSNs 23 Security Plan Provisions Safeguards for any SSNs stored in a business information system include: Restrictions on access to workstations and portable devices containing SSNs to authorized employees; and SSNs displayed on computer monitors or other forms of output shall not be visible or accessible to individuals who are not authorized to view SSNs.
Protecting the Confidentiality of SSNs 24 Security Plan Provisions For any SSNs contained in paper documents, the following requirements must be met: Printers and fax machines shall be located in secured locations so unauthorized individuals can not readily access or read the SSNs; and Paper records containing SSNs shall not be discarded in trash bins or recycle bins, but shall be shredded or placed in a secure bin for disposal.
Protecting the Confidentiality of SSNs 25 Relevant Laws A summary of the key provisions of some of the relevant laws appears on the SSN web site. More detailed information about these laws and other privacy laws will be provided at the departmental level as needed for the employee’s job duties.
Protecting the Confidentiality of SSNs 26 How can you find out more? Review BPM 66 Read the related Rules of Conduct Read the Security Plan for Safeguarding Social Security Numbers Review the relevant laws governing SSN confidentiality Ask your supervisor Contact the SSN Coordinator
Thank you for completing this training. The University of Texas System