Tulane University Policy on the Use of Social Security Numbers

1 Purpose 

The use of Social Security Numbers (SSNs) as identity verification puts members of the Tulane University community at greater risk for identity theft. As the University moves towards the completion of the implementation of the Campus-Wide ID for students, faculty and staff, there is the need to restrict the use of social security numbers to only instances where their use is required by law. 

 

2 Statement 

The use of SSNs must be removed from all information systems as soon as is practical and no further use of SSNs in Tulane information systems is permitted other than when such use is required by law. 

 

3 Due Care 

SSNs maintained on University Information Systems and departmental databases are considered protected information under both the Gramm-Leach-Bliley Act (GLB) and the Family Educational Rights and Privacy Act (FERPA), and other federal and state laws. If a department must use SSNs, Tulane University requires great care when maintaining SSNs in university and departmental systems. This standard of care includes ensuring employees are educated about the sensitivity of SSNs and best practices for securing them, ensuring the systems that have SSNs are encrypted and physically secure and working aggressively to eliminate their use unless that use is required by law. The Guidelines on the Use of Social Security Numbers provides specific guidance on the use of social security numbers. 

 

4 Approval for Storing SSNs 

Upon completion of the implementation of the Campus-Wide ID and the removal of all SSNs - except those that are required to be stored by law - from all University information systems, departments should follow the following process for obtaining approval before storing SSNs: 

  • The department should send a request to store SSNs to the Information Security Officer. The request should at a minimum include the reason(s) for requesting, who will have access to the records, how the records will be stored and how the records will be secured. 
  • The Information Security Officer reviews the request and sends a summary of the request together with a recommendation for approval or non-approval to the VP for Information Technology. 
  • If approved by the VP for Information Technology, a signed approval document is provided to the department. 
  • The Information Security Officer then notifies Internal Audit that the department has approval to collect, store, or use SSNs, and should be audited annually. 

 

5 Additional Information 

For further information about this and other information security policies and applicable computing laws and regulations please contact the Information Security Officer at (504) 988-8500 or security@tulane.edu