Social Security Numbers and Other Personal Information
Compliance is must.
Social security and driver’s license numbers are protected by state law. The University’s Data Protection Standards explain what departments that collect, access, share, send, use or store this Restricted Use data must do to ensure that it is safe and secure.
Failing to comply with these laws and policies has serious consequences.
PAGE CONTENTS:
The Basics
Consequences
Beyond the Basics
Still Have Questions?
The Basics
EVERYONE
- DON’T request, access, use or store social security or drivers’ license numbers unless there is a legitimate business need to do so and your department has confirmed that it complies with the Data Protection Standards for Restricted Use data.
- DON’T under any circumstances store sensitive information like social security or drivers’ license numbers in Dropbox, Google Drive or any other service that has not been approved by Information Security.
- DON’T send or transmit social security or drivers’ license numbers under any circumstances, unless you are authorized by your department and have a secure mechanism approved by Information Security for doing so.
- DO read the Data Protection Standards and be sure you understand how to secure sensitive information.
- DO help minimize risk. Be on the lookout for University forms (paper or electronic), emails, or old files (electronic or paper) that contain social security or drivers’ license numbers. If it doesn’t seem necessary, say something. Ask your supervisor, Information Security, Compliance Services or Internal Audit for help determining whether it is appropriate for social security or drivers’ license numbers to be in those places and, if not, how to safely and security destroy the information.
- DO report any suspected data breach to Information Security immediately.
DEPARTMENTS THAT ACCESS, USE OR STORE SOCIAL SECURITY OR DRIVERS’ LICENSE NUMBERS
- DON’T store social security or drivers’ license numbers on unencrypted laptops, USB drives or portable devices.
- DON’T email or otherwise transmit social security or drivers’ license numbers electronically. If it’s absolutely necessary, contact Information Security to identify a secure way to do so. The University’s encrypted email system may be used to send sensitive information to individuals outside of the University.
- DO contact Information Security or Compliance Services if you need help determining whether your collection or use of social security or drivers’ license numbers is appropriate.
- DO make sure that social security and drivers’ license numbers are stored in locked file cabinets or encrypted electronic storage.
- DO take special care to destroy social security and drivers’ license numbers responsibly. Information Security provides simple explanations for destroying paper records, CDs, DVDs, files, storage devices, and the like.
- DO contact Sourcing & Procurement if you plan to buy or use software that will use or store social security or drivers’ license numbers to ensure that the contract has appropriate protections in place to safeguard the information.
- DO report any suspected data breach to Information Security immediately.
Back to top
Consequences
- A data breach involving social security or drivers’ license numbers may lead to identity theft or stolen funds. You don’t want either of those to happen to you; you should do what you can to minimize the risk that it happens to others.
- If there is a data breach that involves social security or drivers’ license numbers the University may be required to notify every individual whose information has been breached and may provide credit monitoring. In addition, the University may be required to notify state attorneys general and credit card companies about the breach. The department in which the breach occurs will participate in these efforts.
- Regulators may impose fines or penalties and individuals who are harmed may file lawsuits.
Beyond the Basics
Want to know more? There are additional resource on the following important, related topics.
- Learn more about the University’s Data Protection Standards.
- Learn more about Restricted Use Data.
Still have questions?
Below you can find contact information and links to team sites.
Compliance Services
Email Compliance Services or call 617-358-8090 if you aren’t sure where to start, or for questions concerning compliance with laws or policies about social security numbers and other personal information.
Information Security
Information Security can help you keep data secure, reliable, and accessible. Report a data breach to the Information Security Breach Response Team.
Internal Audit
Internal Audit can help you determine whether you really need social security numbers and whether there’s a more secure way to meet your business needs.
Sourcing & Procurement
Sourcing can help you find the right vendor and make sure the vendor is as careful with sensitive data as we are.