University Policy on Social Security Number Privacy

This Policy provides for the confidentiality of social security numbers obtained by the University in the ordinary course of business. [1] References in the Policy to "social security number" mean an individual's social security number or more than four sequential digits of that number. References in the Policy to "documents" include all documents regardless of form (i.e., paper, electronic, microfiche, etc.).

I. Applicability
Effective January 1, 2006, this Policy applies to all University employees, including support staff, faculty/academic staff, executive managers, and student employees.

II. Access to Social Security Numbers 
The University restricts access to information or documents containing social security numbers to employees who have a legitimate University business reason to access such information or documents. Unit supervisors/unit administrators are responsible for implementing this restriction through appropriate unit training and oversight procedures.

III. Prohibited Disclosures 
University employees shall maintain the confidentiality of University information and documents containing social security numbers. University employees shall not do any of the following with the social security number of an employee, student, or other individual:

  1. Publicly display the social security number.[2]
  2. Use the social security number as an individual's primary account number unless that use has been approved by the Assistant Vice President for Human Resources or the Associate Provost and Associate Vice President for Faculty and Academic Staff Affairs.
  3. Visibly print the social security number on any identification badge, membership card, permit, or license.
  4. Mail a document containing an individual's social security number unless it falls within one of the following exceptions:[3]
    • State or federal law, rule, regulation, or court order or rule authorizes, permits, or requires that the social security number appear in the document.
    • The document is sent as part of an application or enrollment process initiated by the individual.
    • The document is sent to establish, confirm the status of, service, amend, or terminate an account, contract, policy, or employee or health insurance benefit, or to confirm the accuracy of a social security number of an individual who has an account, contract, policy, or employee or health insurance benefit.
    • The document is mailed in connection with an ongoing administrative use to do any of the following:
      • Verify an individual's identity, identify an individual, or accomplish another similar administrative purpose related to an existing or proposed account, transaction, product, service, or employment.
      • Investigate an individual's claim, credit, criminal, or driving history.
      • Detect, prevent, or deter identity theft or another crime.
      • Lawfully pursue or enforce the University's legal rights.
      • Provide or administer employee or health insurance benefits, claims, or retirement programs.
    • The document is mailed by or at the request of the individual whose social security number appears in the document or at the request of his/her parent or legal guardian.
    • The document is mailed in a manner or for a purpose consistent with the federal Gramm-Leach-Bliley Act (GLB), federal Health Insurance Portability and Accountability Act (HIPAA), or the Michigan Insurance Code of 1956.
    • Other exceptions approved by the Office of General Counsel.
  5. Require an individual to transmit his/her social security number over the Internet or a computer system or network unless the connection is secure, or the transmission is encrypted.
  6. Require an individual to use or transmit his/her social security number to gain access to an internet website or a computer system or network unless the connection is secure, or the transmission is encrypted.
  7. Mail any document containing a social security number that is visible on or from outside the envelope or packaging for the document.

IV. Authorized Uses 
This Policy does not prohibit the use of social security numbers where the use is authorized or required by state or federal statute, rule, regulation, or court order or rule, or pursuant to legal discovery or process.

This Policy also does not prohibit the use of social security numbers by the Police Department for criminal investigation purposes or the provision of social security numbers to a Title IV-D agency (child support/support orders), law enforcement agency, court, or prosecutor as part of a criminal investigation or prosecution.

V. Disposal of Social Security Numbers 
Documents that contain social security numbers shall be properly destroyed when those documents no longer need to be retained pursuant to University document retention policies. Paper documents containing social security numbers should be shredded. Electronic documents containing social security numbers should be destroyed in a manner consistent with the "best practices" guidance issued by the Vice Provost for Computing and Technology.

VI. Violations
Violations of this Policy may result in disciplinary action, up to and including termination of employment. Individuals who violate this Policy may also be subject to the civil and criminal penalties provided for in the Michigan Social Security Number Privacy Act.

VII. University Resources
Questions regarding this Policy may be directed to Human Resources, Faculty and Academic Staff Affairs, the Vice Provost for Libraries, Computing & Technology, or the Office of General Counsel.

 


Footnotes

 

[1] This Policy has been created pursuant to Section 4 of the Michigan Social Security Number Privacy Act, MCLA 445.81 et. seq.

[2] "Publicly display" means to exhibit, hold up, post, or make visible or set out for open view, including but not limited to, open view on a computer device, computer network, website, or other electronic medium or device, to members of the public or in a public manner.

[3] "Mail" includes delivery by United States mail, campus mail, or any other delivery service that does not require the signature of the recipient indicating actual receipt.