COUNCIL Reports on the April 18 Agenda
Report of the Task Force on Privacy of Personal Information
April 9, 2001
A series of national public opinion polls conducted by Louis Harris & Associates documents a rising level of public concern about privacy, growing from 64 percent in 1978 to 82 percent in 1995. Over 80 percent of persons surveyed in 1999 agreed with the statement that they had "lost all control over their personal information."1 A Wall Street Journal/ABC poll on September 16, 1999, asked Americans what concerned them most in the coming century. "Loss of personal privacy" was the first or second concern of 29 percent of respondents. All other issues, such as terrorism, world war, and global warming had scores of 23 percent or less.
--Standards for Privacy of Individually Identifiable Health Information, DHHS
The term "identity theft" is used to refer to the fraudulent use of personal information without the the person's knowledge to obtain credit cards or otherwise obtain goods and services. Identity theft may lead to significant monetary loss, loss of credit and difficulty in obtaining employment or housing. The Privacy Rights Clearinghouse estimates that between 500,000 and 700,000 Americans were victims of identity theft last year.
Since social security numbers play an important role in facilitating identity theft, the use of social security numbers as student and staff identifiers by the University puts each member of the University community at risk. The University took an important step toward reducing this risk by removing the social security number from the Penn Card and replacing it with a Penn ID number. Nevertheless social security numbers are still used as personal identifiers in myriad student and staff data bases. In some of these applications the use of social security numbers is mandated by law. In many more they are not. Under the Family Educational Rights and Privacy Act of 1974 a student's social security number generally may not be disclosed without the student's consent.
Social security numbers are available electronically in the Data Warehouse to authorized users, even when those users do not need to know the social security number for the application for which the user has been authorized. Social security numbers appear on many printed and electronic forms although their use can be replaced by the Penn ID. Social security numbers are used as the personal identifier by one of the University's major health benefit providers and by the student health insurance provider.
The Task Force on Privacy of Personal Information believes that it is vitally important for the University to cease use of social security numbers as a personal identifier except where mandated by law. Specific recommendations toward this goal are given in the Task Force report.
The privacy regulations proposed under the Health Insurance Portability and Accountability Act afford individuals within the University an appropriate level of privacy of protected health information. It is not our intention here to comment on the role of the University of Pennsylvania Health System in ensuring this privacy. However, it is the role of the University to ensure that the benefit providers with which the University deals are in compliance with these regulations. Even if the final governmental regulations are scaled back, the University should ensure that protected health information should not be disseminated unless the individual has originally consented to such dissemination (or use) and that when use or dissemination is permitted, only the minimum necessary information is disseminated.
Privacy of personal information is an important component of individual freedom. That privacy is compromised when the University uses personal information for activities that are not directly related to the mission of the University. Individuals should be informed of all such use and be given the opportunity to "opt out" of such use. Telephone solicitations are particularly onerous.
Penn students regularly receive mail solicitations based upon their status as students. Most of these are harmless but solicitations for credit cards provide an opportunity for fraud. The Task Force could find no evidence that such solicitations were sanctioned by the University. Most likely they were made possible by information published in printed and on-line directories. The Task Force recommends that the University take actions to prevent the inappropriate use of directory information.
Finally, the University of Pennsylvania is a large decentralized organization. Responsibility for maintaining privacy of personal information is piecemeal, unfocused and uncoordinated. The Task Force recommends that a Chief Privacy Officer be appointed with responsibility and authority to carry out the recommendations of this report.
The Task Force on Privacy of Personal Information was created in the Fall of 2000 by the Chair of the University Council Steering Committee in response to concerns about increasing threats to personal privacy. The Task Force, with representation from the Council Committee on Communications and the Council Committee on Personnel Benefits, was charged with exploring the current procedures for ensuring the privacy of the personal information relating to students, faculty, and staff of which the University is custodian and making recommendations that would enhance the security afforded this information. The six members of the task force include a graduate and undergraduate student, two staff members and two faculty members.
Among the issues that the Task Force was asked to consider were the following:
The Task Force met with representatives of the following University Departments:
In addition, telephone conversations were held between the chair of the Task Force and representatives of the following departments:
The Task Force is pleased to report that, without exception, it received full cooperation from each of the individuals that it contacted and, in general, these individuals were fully forthcoming in providing information and advice to the Task Force. We believe that there is general agreement that protection of personal information is an important function of the University.
Privacy of personal information is not a new concern either within the University or in the broader society. This information is already the subject of various laws and internal University policies.
The Family Educational Rights and Privacy Act of 1974 (2) (FERPA) also known as the Buckley amendment, provides privacy rights for student records. University guidelines, however, confer greater privacy rights in certain areas than does federal law, and these guidelines contain more than the federally mandated information with respect to such policy.
Specific University policy sets standards for (A) informing individuals in attendance of their rights under FERPA, the implementing regulation, and University guidelines, (B) permitting students to inspect and review their records, (C) not disclosing personally identifiable information from the records of a student or an applicant for admission without his or her prior written consent, (D) maintaining a record of disclosures of personally identifiable information from the records of a student and permitting a student to inspect that record, and (E) providing a student with an opportunity to seek the correction of his or her records through a request to amend his or her records or a hearing.
Section V.A. of the Handbook for Faculty and Academic Administrators sets forth the University's Policy on Confidentiality of Employee Records. It begins with (3)
The Health Insurance Portability and Accountability Act (4,5) (HIPAA) provides a general framework for the types of permissions required for the use and disclosure of protected health information (PHI). Under these rules PHI may not be disseminated, even for purposes of treatment, payment or health care operations, unless the individual has originally consented to the dissemination (or use). When use or dissemination is permitted, only the minimum necessary information may be disseminated. In addition, protected health information may not be used for purposes other than treatment, payment or health care operations unless the patient has expressly authorized the use or dissemination, or the use or dissemination is specifically permitted by the rule or covered entity's privacy notice.
Privacy of U.S. Mail and of telephone communication is regulated by federal statutes while other University policies deal with privacy of electronic information, University mail and voice mail.
"Privacy is to the information age what environment is to the industrial age: something that needs to be attended to on the front end."
--Deirdre Mulligan as quoted in Philadelphia Inquirer, February 15, 2001
"the believer in personal freedom is saying to the compilers of dossiers: ask me first. Before following my movements and recording my habits, get my approval -- my informed, written, advance consent. I have the right to decide how much information about me to reveal to you for your profitable use or sale. It is up to me to decide whether to consent to trading that information of value to you in return for whatever benefit you have to offer me."
--William Safire, New York Times, March 12, 2001
These are not theoretical issues. As the following two recent incidents show, the University community is not immune from fraud and illegality.
True Identity Fraud Alert
"Attention--Students and Staff: an unknown person has been phoning parents of students and former students claiming he is a Philadelphia Police Detective that works out of Southwest Detective Division. He has used the name Detective Michael Williams and Lt. Phil Rheil. The 'Officer' claims that he has arrested a person who was using your name, social security number and date of birth. He then asks if you will verify who you are by supplying him with the same information. Once he has your vital information, he claims that the individual he has under arrest has also opened credit card accounts from Visa, Master Card and American Express in your name and then asks for your credit card numbers to compare with the cards he has "confiscated". The male then takes your information and places orders for laptop computers and other high end items that he can quickly sell."
--e-mail alert, March 15, 2001
"A University employee was arrested last week for using students' social security numbers--obtained from Penn computer systems--to open credit card accounts."
--Daily Pennsylvanian, March 27, 2001
In general at Penn, we believe that personal information including student records are well protected from disclosure to parties outside of the University; although, we have heard reports of records being disposed of in a manner that would compromise the security of the information they contain. Compliance with FERPA requires protection of the information contained in student records. The Office of Information Systems and Computing is vigilant in protecting the University's electronic records from access by hackers and others outside the University. Compliance with the proposed HIPAA regulations will require that electronic files containing protected health information be encrypted when sent outside the University, ISC has established procedures for this encryption and many files are already encrypted for transmission. The major weakness of the University's data administration program is the lack of safeguards within the University. The fraud case reported in the Daily Pennsylvanian of March 27, 2001 involved a University employee and this was not the first case in which a University employee, with access to personal information, misused that information.
"Social security numbers were not designed to be a universal identifier of American citizens. Yet over time that is what they have become. In 1943, President Roosevelt issued an executive order that required federal agencies to use the Social Security number for identifying people rather than having each agency waste money developing its own numbering system."(6)
Over the years the role of the social security number has increased to the extent that all of an individual's financial records (bank accounts, credit histories, credit cards, etc.) are tied to his or her social security number. Theft of social security numbers has led to the rapidly growing crime of identity theft. By applying for credit cards using another person's name and social security number it has become possible to destroy that individual's credit worthiness. The theft is much easier than the steps necessary to repair the reputation of the victim. This is particularly important since credit checks may affect an individual's employment and housing as well as finances.
Within the University, social security numbers are needed to report earnings to the state, federal, and Philadelphia governments. They are needed to process financial aid applications and they are needed to secure test results from the Educational Testing Service. Beyond these and similar uses mandated by law, social security numbers should not be used as a Penn identifier. The theft of a wallet containing a card with social security number, birth date and home address provides the opportunity for much more serious crime. Misuse of a computer database containing this information is no less serious.
The University took a major step away from social security numbers in 1997 by removing them from the Penn Card. In its place each student and employee was issued a Penn ID number that appears on the Penn Card. Despite this action, social security numbers still appear on grade sheets, benefit information forms, pay stubs and many other places. Social security numbers are a field in the University's Data Warehouse and, as such, are available to anyone who has access to the Data Warehouse.
The Task Force has neither the time nor the expertise to track down each use of the social security number as a personal identifier. We are told, however, that the social security number is used as the personal identifier in most of the student and employee data bases (e.g., student records) within the University. Social security numbers are routinely used on class rosters and grade sheets. Students on the committee report that these materials are frequently posted in hallways to report grades, circulated for sign-in attendance at classes, and disclosed to students in other manners. Such use, without student consent, is a violation of FERPA (7). The use of social security numbers as personal identifiers poses a serious risk to the individual. It should not be surprising that most of our recommendations center on this issue.
Directory information is, in general, not protected by the laws and policies cited above except to the extent that individuals have the opportunity to request that their address and telephone information not be listed. We refer to this as the "opt out option." While we have not been able to find any specific protocols under which the University will provide addresses of students and/or employees to internal or external organizations, the guardians of this information have uniformly stated to the Task Force that such information is provided only in cases when needed for "legitimate University purposes." Nevertheless, our students are barraged by a virtual blizzard of junk mail that comes to them because they are Penn students. Almost certainly the source of these mailings lists are the student directories. Under normal circumstances, solicitations for pizzas, class rings, subscriptions and such are part of every day life and are at worst a minor irritant. Pre-approved credit card solicitations, on the other hand, provide an opportunity for fraud and other criminal activity when the applications are improperly discarded or when the mail is delivered in an insecure location.
Telephone solicitations are intrusive, usually unwanted and, for many, a major irritant. Such solicitations may come to the employee's workplace and affect his or her productivity. The University's association with solicitations unrelated to the primary purpose of the University diminishes the stature of the University in the eyes of students and employees and may create a feeling of hostility and alienation toward the University. Each student and employee should have the right to opt out of such solicitations.
The University has made extraordinary progress in improving the physical safety of its students and staff during the past few years. Extensive resources have been allocated to this endeavor. It is now time to extend that effort to procedures that protect the University community from identity theft and other fraudulent activities. The recommendations articulated above provide an outline for initial activities toward that goal.
Task force members:
Almanac, Vol. 47, No. 30, April 17, 2001