Information Technology Services Unit

Return to Skip Menu

Search

Return to Skip Menu

Main Navigation

Return to Skip Menu

Main Content

Virginia Polytechnic Institute and State University No. 1060 Rev.: 0

Policy and Procedures Date: May 25, 2007

__________________________________________________________________________________

Subject: Policy on Social Security Numbers

__________________________________________________________________________________

1. Purpose ................................................................................................................................................................ 1

2. Policy ................................................................................................................................................................... 1

2.1 Data Administration ..................................................................................................................................... 2

2.2 Collection and Storage of the Social Security Number ................................................................................ 2

2.3 Use of Collected Social Security Numbers ................................................................................................... 2

2.3.1 Use as Identifiers ................................................................................................................................. 2

2.3.2 Requests at Points of Service for Social Security Numbers ................................................................. 3

2.3.3 Display and Dissemination of Social Security Numbers ...................................................................... 3

2.4 Security of the Social Security Number ........................................................................................................ 3

2.4.1 Security Standards ............................................................................................................................... 3

3. Approved Language ............................................................................................................................................. 4

4. Definitions ........................................................................................................................................................... 4

5. References ............................................................................................................................................................ 5

6. Approval and Revisions ....................................................................................................................................... 5

1. Purpose

Virginia Tech is committed to ensuring the proper handling of the personal, confidential information that it collects

in order to carry out its missions, including the Social Security number and the Individual Taxpayer Identification

Number (collectively abbreviated as "SSN"). The purpose of this policy is to ensure that university employees and

offices comply with laws and regulations that affect the use of SSNs, including the Family Educational Rights and

Privacy Act, the Privacy Act of 1974, the Gramm-Leach-Bliley Act, and Virginia's "Disclosure or display of social

security number" (Code of Virginia § 2.2-3808).

Objectives of this policy and its dissemination include:

1. Awareness of the confidential nature of the SSN;

2. Minimized reliance upon the SSN for identification purposes;

3. A consistent policy regarding SSNs throughout the university; and

4. Increased confidence by students and employees that SSNs are handled in a confidential

manner.

2. Policy

Virginia Tech's policy for handling SSNs includes the following:

* to collect SSNs when legally required or legally permitted and necessary to conduct university business;

* to access SSNs to perform the necessary transactions relevant to those legal requirements or business needs,

including verifying data quality and safeguarding the data;

* to maintain SSNs securely;

* and to disclose SSNs only when legally permitted.

Virginia Polytechnic Institute and State University Policy 1060

Revision: 0 May 25, 2007

Policy on Social Security Numbers Page 2 of 5

2.1 Data Administration

Approval of the collection and use of SSNs resides with the Vice President for Budget and Financial Management.

Data trustees should forward a written request for approval to the Vice President for Budget and Financial

Management stating the legal requirement or business need for the data. Data trustees are defined for the SSN as

those Vice Presidents and Vice Provosts (VPs) who have oversight responsibilities for offices and functions that

collect and/or report the SSN, and the Vice President for Information Technology, who has oversight

responsibilities for the storage of the SSN in enterprise databases.

The data stewards are the managers of the operational departments where processes require the university to collect,

store, and use the SSN.

Only employees of Virginia Tech who have a need to know the SSN may have access to it. It is limited access

information.

2.2 Collection and Storage of the Social Security Number

Mandatory collection of SSNs will only be for purposes where the collection is mandated by a United States federal

government agency or by the Commonwealth of Virginia.

Once collected, an individual's SSN will be stored only in locations needed to conduct business and protect the

data. SSNs will be accessed only to conduct university business.

All university forms and documents that are used to collect SSNs will employ the language included in Section 3 of

this policy

Forms and documents may request voluntary disclosure at early stages of a process when the SSN is likely to be

required of the individual at a later point in the process (for example, application for admission or employment), as

a convenient moment for the collection. These forms and documents must indicate that the request is voluntary at

this stage, but may be required at a later stage in the process.

The SSN is assigned by the United States government and is subject to corrections brought to the attention of the

university either by the federal government or by the individual to whom it is assigned. Virginia Tech may also

undertake actions to verify SSNs.

2.3 Use of Collected Social Security Numbers

2.3.1 Use as Identifiers

SSNs will not be used either as identifiers of individuals nor as keys to records pertaining to individuals within

databases. Virginia Tech employees, students, and other individuals that require a unique identifier will be assigned

an identifying character string, called the Virginia Tech ID number (VT ID number). The VT ID number will not be

the same as, nor derived from, the SSN.

2.3.1.1 Data Administration for VT ID Numbers

Data administration for VT ID numbers resides with the VPs responsible for the collection, storage, use and

generation of the VT ID numbers (data trustees), and with the operational managers (data stewards). The VT ID

number may be freely used within the university for business purposes (university internal use). Data trustees or

designated data stewards must approve the request before ID numbers are released outside of the university.

The Virginia Tech ID number is the property of Virginia Tech and is assigned to individuals without regard for

individual preferences. The university reserves the right to assign, change, or revoke the identifier.

Virginia Polytechnic Institute and State University Policy 1060

Revision: 0 May 25, 2007

Policy on Social Security Numbers Page 3 of 5

2.3.2 Requests at Points of Service for Social Security Numbers

For situations in which Social Security numbers must be collected, different forms or levels of initial collection and

verification may be required. For example, employment may require producing the Social Security card and/or

verification of the number with the Social Security Administration, while compliance with the Taxpayer Relief Act

permits reporting of the SSN by the individual student. Individuals may volunteer their SSN if they wish as an

alternate means of locating a record.

2.3.3 Display and Dissemination of Social Security Numbers

SSNs may be released by the university to entities outside the university when:

* The SSN is required in order to comply with government reporting and transactional mandates, or

otherwise required by law; or

* The external entity is acting as the university's contractor or agent.

When SSNs are released to external entities acting as contractor or agent of the university, the appropriate data

steward is responsible to obtain satisfactory assurances that the information is held securely and is not redistributed.

Particular care must be taken with older records to prevent inadvertent, inappropriate release of SSNs.

SSNs-in whole or in part-must never be placed within public view.

2.4 Security of the Social Security Number

Electronic transmission of SSNs must follow established electronic transmission security standards (see Section

2.4.1 below).

When paper documents containing the SSN are sent through a delivery system (i.e., campus mail, U.S. Postal

Service, messenger services), the documents must be appropriately safeguarded.

Records containing SSNs that predate this policy need not be changed; however, these and all records that contain

SSNs must be stored securely using standard encryption techniques and/or through physical security.

Data stewards and all data users of the SSN are responsible for ensuring proper and secure disposition of both paper

and electronic documents or files containing SSNs in accordance with applicable University policy. University

records must be handled in accordance with University Policy 2000-Management of University Records.

2.4.1 Security Standards

Information Technology maintains standards to address the handling of SSNs within electronic systems. Adherence

to these standards is required. The standards address:

* Display of SSNs on computer terminals, screens, and reports;

* Security protocol required to access SSNs in electronic databases;

* Electronic storage of SSNs;

* Electronic transmission of SSNs;

* Alternate mechanisms for integrating data other than the use of the SSN; and

* Obtaining permission to include the SSN in any electronic system.

Records Management maintains standards to address the handling of SSNs in paper documents, and the disposal of

SSNs in any format. Adherence to these standards is required. The standards address:

Virginia Polytechnic Institute and State University Policy 1060

Revision: 0 May 25, 2007

Policy on Social Security Numbers Page 4 of 5

* Secure storage of SSNs;

* Appropriate methods and documentation required for disposal of paper or electronic documents containing

SSNs.

3. Approved Language

University forms and documents that collect SSNs will use the language included below. Should circumstances

arise in which the following statements are not appropriate, the data administrators (data trustee or data steward)

will work with General Counsel to provide an appropriate alternative statement.

Student forms: "Furnishing a Social Security number (SSN) is voluntary and not required for enrollment. However,

Virginia Tech is required by federal law to report to the Internal Revenue Service (IRS) the SSN of tuition-paying

students. The university's Office of Scholarships and Financial Aid also has requirements for SSN reporting.

Failure to provide the SSN may delay or prevent your enrollment. The university may disclose your Social Security

number when required by law, or to external entities acting as the university's contractor or agent."

Employee forms: "Virginia Tech is required by federal law to report income along with Social Security numbers

(SSNs) for all employees to whom compensation is paid. The university may disclose your Social Security number

when required by law, or to external entities acting as the university's contractor or agent."

General statement for student handbooks, course timetables, and related materials: "Virginia Tech is committed to

protecting the privacy of its students, employees, alumni, and other associated individuals. At times, the university

will ask you for your Social Security number. Federal and state law requires the collection of your Social Security

number for certain purposes such as those relating to employment, taxes, and student aid.

The university may make the request for your Social Security number at a time when it is easiest for you to provide

it, even if the need is not yet mandatory. For example, the university is required by the IRS to supply the name,

address, and Social Security number of every tuition-paying student. The university is also required to have a valid

Social Security number before an individual can receive compensation. Thus, without your Social Security number,

the university cannot grant an assistantship or provide other employment. Virginia Tech may ask for your Social

Security number in anticipation of need, such as at application for admission or application for employment.

The university may disclose your Social Security number when required by law, or to external entities acting as the

university's contractor or agent.

This statement was created for informational purposes only and may be amended or altered at any time."

4. Definitions

Data administration. Policy 7100 (http://www.policies.vt.edu/7100.pdf) sets forth responsibilities for data trustees

and data stewards, and describes more fully the use of data elements' level of confidentiality (limited access;

university internal use). Data stewards are university directors who oversee data management functions related to

the capture, maintenance, and dissemination of data for a particular operational area. Data Stewards generally report

to a Data Trustee. Data trustees are senior university officials who have planning and policy-level responsibilities

for university data and who assign accountability for data management.

Point of service-a physical or electronic interaction between the university and its employees, students or other

individuals, during which the university provides physical, educational, informational, or electronic services to the

individual.

Virginia Polytechnic Institute and State University Policy 1060

Revision: 0 May 25, 2007

Policy on Social Security Numbers Page 5 of 5

Limited access-classification of data that requires individual authorization prior to access. In the case of SSNs,

access is granted on a need basis.

SSN-primarily refers to the Social Security number assigned by the Social Security Administration, and also to

the Individual Taxpayer Identification number assigned by the Internal Revenue Service to individuals. SSN

excludes other government-issued identifiers, whether to individuals or corporate entities.

Virginia Tech ID number (VT ID number)-alphanumeric string that uniquely associates various records with

an individual within the university administrative information system.

5. References

Policy 2000: Management of University Records

http://www.policies.vt.edu/2000.pdf

Policy 7100: Administrative Data Management and Access Policy

http://www.policies.vt.edu/7100.pdf

Code of Virginia § 2.2-3808

http://leg1.state.va.us/cgi-bin/legp504.exe?000+cod+2.2-3808

Set-Off-Debt Collection Act: Code of Virginia § 58.1-521

http://leg1.state.va.us/cgi-bin/legp504.exe?000+cod+58.1-521

Privacy Act of 1974 (US Code)

6. Approval and Revisions

APPROVED:

Approved May 25, 2007 by the Executive Vice President and Chief Operating Officer, James A. Hyatt.

Return to Skip Menu

Featured Content

Return to Skip Menu

Skip Menu

Search

Main Navigation

Main Content

Featured Content

Footer