COUNCIL Reports on the April 18 Agenda


Report of the Task Force on Privacy of Personal Information

April 9, 2001

Summary

A series of national public opinion polls conducted by Louis Harris & Associates documents a rising level of public concern about privacy, growing from 64 percent in 1978 to 82 percent in 1995. Over 80 percent of persons surveyed in 1999 agreed with the statement that they had "lost all control over their personal information."1 A Wall Street Journal/ABC poll on September 16, 1999, asked Americans what concerned them most in the coming century. "Loss of personal privacy" was the first or second concern of 29 percent of respondents. All other issues, such as terrorism, world war, and global warming had scores of 23 percent or less.

--Standards for Privacy of Individually Identifiable Health Information, DHHS

The term "identity theft" is used to refer to the fraudulent use of personal information without the the person's knowledge to obtain credit cards or otherwise obtain goods and services. Identity theft may lead to significant monetary loss, loss of credit and difficulty in obtaining employment or housing. The Privacy Rights Clearinghouse estimates that between 500,000 and 700,000 Americans were victims of identity theft last year.

Since social security numbers play an important role in facilitating identity theft, the use of social security numbers as student and staff identifiers by the University puts each member of the University community at risk. The University took an important step toward reducing this risk by removing the social security number from the Penn Card and replacing it with a Penn ID number. Nevertheless social security numbers are still used as personal identifiers in myriad student and staff data bases. In some of these applications the use of social security numbers is mandated by law. In many more they are not. Under the Family Educational Rights and Privacy Act of 1974 a student's social security number generally may not be disclosed without the student's consent.

Social security numbers are available electronically in the Data Warehouse to authorized users, even when those users do not need to know the social security number for the application for which the user has been authorized. Social security numbers appear on many printed and electronic forms although their use can be replaced by the Penn ID. Social security numbers are used as the personal identifier by one of the University's major health benefit providers and by the student health insurance provider.

The Task Force on Privacy of Personal Information believes that it is vitally important for the University to cease use of social security numbers as a personal identifier except where mandated by law. Specific recommendations toward this goal are given in the Task Force report.

The privacy regulations proposed under the Health Insurance Portability and Accountability Act afford individuals within the University an appropriate level of privacy of protected health information. It is not our intention here to comment on the role of the University of Pennsylvania Health System in ensuring this privacy. However, it is the role of the University to ensure that the benefit providers with which the University deals are in compliance with these regulations. Even if the final governmental regulations are scaled back, the University should ensure that protected health information should not be disseminated unless the individual has originally consented to such dissemination (or use) and that when use or dissemination is permitted, only the minimum necessary information is disseminated.

Privacy of personal information is an important component of individual freedom. That privacy is compromised when the University uses personal information for activities that are not directly related to the mission of the University. Individuals should be informed of all such use and be given the opportunity to "opt out" of such use. Telephone solicitations are particularly onerous.

Penn students regularly receive mail solicitations based upon their status as students. Most of these are harmless but solicitations for credit cards provide an opportunity for fraud. The Task Force could find no evidence that such solicitations were sanctioned by the University. Most likely they were made possible by information published in printed and on-line directories. The Task Force recommends that the University take actions to prevent the inappropriate use of directory information.

Finally, the University of Pennsylvania is a large decentralized organization. Responsibility for maintaining privacy of personal information is piecemeal, unfocused and uncoordinated. The Task Force recommends that a Chief Privacy Officer be appointed with responsibility and authority to carry out the recommendations of this report.

Background

The Task Force on Privacy of Personal Information was created in the Fall of 2000 by the Chair of the University Council Steering Committee in response to concerns about increasing threats to personal privacy. The Task Force, with representation from the Council Committee on Communications and the Council Committee on Personnel Benefits, was charged with exploring the current procedures for ensuring the privacy of the personal information relating to students, faculty, and staff of which the University is custodian and making recommendations that would enhance the security afforded this information. The six members of the task force include a graduate and undergraduate student, two staff members and two faculty members.

Among the issues that the Task Force was asked to consider were the following:

  1. privacy of medical records,
  2. security of University computer files containing personal information,
  3. use of University Directory Information (e.g., the MBNA solicitation),
  4. protection of information that could lead to identity theft and more generally to fraud.

The Task Force met with representatives of the following University Departments:

  1. Office of the General Counsel,
  2. Office of Information Systems and Computing,
  3. University Information Security Office (a division of ISC),
  4. Business Services,
  5. Office of the Registrar.

In addition, telephone conversations were held between the chair of the Task Force and representatives of the following departments:

  1. Division of Human Resources,
  2. Office of the Comptroller,
  3. Office of the Vice Provost for University Life,
  4. SAS Computing,
  5. Office of Audit and Compliance,
  6. Wharton Information Technology.

The Task Force is pleased to report that, without exception, it received full cooperation from each of the individuals that it contacted and, in general, these individuals were fully forthcoming in providing information and advice to the Task Force. We believe that there is general agreement that protection of personal information is an important function of the University.

Privacy of personal information is not a new concern either within the University or in the broader society. This information is already the subject of various laws and internal University policies.

The Family Educational Rights and Privacy Act of 1974 (2) (FERPA) also known as the Buckley amendment, provides privacy rights for student records. University guidelines, however, confer greater privacy rights in certain areas than does federal law, and these guidelines contain more than the federally mandated information with respect to such policy.

Specific University policy sets standards for (A) informing individuals in attendance of their rights under FERPA, the implementing regulation, and University guidelines, (B) permitting students to inspect and review their records, (C) not disclosing personally identifiable information from the records of a student or an applicant for admission without his or her prior written consent, (D) maintaining a record of disclosures of personally identifiable information from the records of a student and permitting a student to inspect that record, and (E) providing a student with an opportunity to seek the correction of his or her records through a request to amend his or her records or a hearing.

Section V.A. of the Handbook for Faculty and Academic Administrators sets forth the University's Policy on Confidentiality of Employee Records. It begins with (3)

Every person entrusted with University files should keep in mind that the contents of individual personnel files are confidential. Under no circumstances should confidential personnel files be opened to any unauthorized person or group.

The Health Insurance Portability and Accountability Act (4,5) (HIPAA) provides a general framework for the types of permissions required for the use and disclosure of protected health information (PHI). Under these rules PHI may not be disseminated, even for purposes of treatment, payment or health care operations, unless the individual has originally consented to the dissemination (or use). When use or dissemination is permitted, only the minimum necessary information may be disseminated. In addition, protected health information may not be used for purposes other than treatment, payment or health care operations unless the patient has expressly authorized the use or dissemination, or the use or dissemination is specifically permitted by the rule or covered entity's privacy notice.

Privacy of U.S. Mail and of telephone communication is regulated by federal statutes while other University policies deal with privacy of electronic information, University mail and voice mail.

Discussion

"Privacy is to the information age what environment is to the industrial age: something that needs to be attended to on the front end."

--Deirdre Mulligan as quoted in Philadelphia Inquirer, February 15, 2001

"the believer in personal freedom is saying to the compilers of dossiers: ask me first. Before following my movements and recording my habits, get my approval -- my informed, written, advance consent. I have the right to decide how much information about me to reveal to you for your profitable use or sale. It is up to me to decide whether to consent to trading that information of value to you in return for whatever benefit you have to offer me."

--William Safire, New York Times, March 12, 2001

These are not theoretical issues. As the following two recent incidents show, the University community is not immune from fraud and illegality.

True Identity Fraud Alert

"Attention--Students and Staff: an unknown person has been phoning parents of students and former students claiming he is a Philadelphia Police Detective that works out of Southwest Detective Division. He has used the name Detective Michael Williams and Lt. Phil Rheil. The 'Officer' claims that he has arrested a person who was using your name, social security number and date of birth. He then asks if you will verify who you are by supplying him with the same information. Once he has your vital information, he claims that the individual he has under arrest has also opened credit card accounts from Visa, Master Card and American Express in your name and then asks for your credit card numbers to compare with the cards he has "confiscated". The male then takes your information and places orders for laptop computers and other high end items that he can quickly sell."

--e-mail alert, March 15, 2001

"A University employee was arrested last week for using students' social security numbers--obtained from Penn computer systems--to open credit card accounts."

--Daily Pennsylvanian, March 27, 2001

In general at Penn, we believe that personal information including student records are well protected from disclosure to parties outside of the University; although, we have heard reports of records being disposed of in a manner that would compromise the security of the information they contain. Compliance with FERPA requires protection of the information contained in student records. The Office of Information Systems and Computing is vigilant in protecting the University's electronic records from access by hackers and others outside the University. Compliance with the proposed HIPAA regulations will require that electronic files containing protected health information be encrypted when sent outside the University, ISC has established procedures for this encryption and many files are already encrypted for transmission. The major weakness of the University's data administration program is the lack of safeguards within the University. The fraud case reported in the Daily Pennsylvanian of March 27, 2001 involved a University employee and this was not the first case in which a University employee, with access to personal information, misused that information.

"Social security numbers were not designed to be a universal identifier of American citizens. Yet over time that is what they have become. In 1943, President Roosevelt issued an executive order that required federal agencies to use the Social Security number for identifying people rather than having each agency waste money developing its own numbering system."(6)

Over the years the role of the social security number has increased to the extent that all of an individual's financial records (bank accounts, credit histories, credit cards, etc.) are tied to his or her social security number. Theft of social security numbers has led to the rapidly growing crime of identity theft. By applying for credit cards using another person's name and social security number it has become possible to destroy that individual's credit worthiness. The theft is much easier than the steps necessary to repair the reputation of the victim. This is particularly important since credit checks may affect an individual's employment and housing as well as finances.

Within the University, social security numbers are needed to report earnings to the state, federal, and Philadelphia governments. They are needed to process financial aid applications and they are needed to secure test results from the Educational Testing Service. Beyond these and similar uses mandated by law, social security numbers should not be used as a Penn identifier. The theft of a wallet containing a card with social security number, birth date and home address provides the opportunity for much more serious crime. Misuse of a computer database containing this information is no less serious.

The University took a major step away from social security numbers in 1997 by removing them from the Penn Card. In its place each student and employee was issued a Penn ID number that appears on the Penn Card. Despite this action, social security numbers still appear on grade sheets, benefit information forms, pay stubs and many other places. Social security numbers are a field in the University's Data Warehouse and, as such, are available to anyone who has access to the Data Warehouse.

The Task Force has neither the time nor the expertise to track down each use of the social security number as a personal identifier. We are told, however, that the social security number is used as the personal identifier in most of the student and employee data bases (e.g., student records) within the University. Social security numbers are routinely used on class rosters and grade sheets. Students on the committee report that these materials are frequently posted in hallways to report grades, circulated for sign-in attendance at classes, and disclosed to students in other manners. Such use, without student consent, is a violation of FERPA (7). The use of social security numbers as personal identifiers poses a serious risk to the individual. It should not be surprising that most of our recommendations center on this issue.

Directory information is, in general, not protected by the laws and policies cited above except to the extent that individuals have the opportunity to request that their address and telephone information not be listed. We refer to this as the "opt out option." While we have not been able to find any specific protocols under which the University will provide addresses of students and/or employees to internal or external organizations, the guardians of this information have uniformly stated to the Task Force that such information is provided only in cases when needed for "legitimate University purposes." Nevertheless, our students are barraged by a virtual blizzard of junk mail that comes to them because they are Penn students. Almost certainly the source of these mailings lists are the student directories. Under normal circumstances, solicitations for pizzas, class rings, subscriptions and such are part of every day life and are at worst a minor irritant. Pre-approved credit card solicitations, on the other hand, provide an opportunity for fraud and other criminal activity when the applications are improperly discarded or when the mail is delivered in an insecure location.

Telephone solicitations are intrusive, usually unwanted and, for many, a major irritant. Such solicitations may come to the employee's workplace and affect his or her productivity. The University's association with solicitations unrelated to the primary purpose of the University diminishes the stature of the University in the eyes of students and employees and may create a feeling of hostility and alienation toward the University. Each student and employee should have the right to opt out of such solicitations.

Recommendations (8)

  1. Student and employee data bases should be rewritten so that Penn ID (and not social security number) is used as a personal identifier. In those cases where social security number is mandated by law, the social security number should not appear in printed or electronic form except as required by law.
  2. The previous recommendation requires that a Penn ID be assigned when a student accepts the University's offer of admission rather than when the student appears on campus.
  3. Educational information about campus safety should include information about identity theft and the need to maintain privacy of social security numbers, birth dates, and other personal identifiers. Particular emphasis should be given to the proper disposal of credit card solicitations and the use of social security numbers and credit card numbers over the internet.
  4. University employees should provide their social security numbers directly to the payroll department and not to departmental administrators unless this is physically impossible (e.g., the new employee is out of the country).
  5. Social security numbers should not be required on any form unless mandated by law. In addition, current forms should be reviewed for inappropriate use of social security numbers.
  6. Protocols must be set for the proper disposal of forms, paper records and computer storage media (e.g., disks, tapes, and hard drives) containing personal information that are no longer required. At a minimum, the paper forms should be shredded and the electronic media should be reformatted.
  7. Social security numbers should not be used on health benefit cards issued by Penn benefit providers (9).
  8. Faculty and staff should be reminded on a regular basis of policies and procedures concerning privacy of personal information.
  9. University employees with access to databases, electronic and paper, containing personal information should be asked to acknowledge, in writing, that they are aware of the policies and procedures protecting this information.
  10. Social security numbers should not be used on grade sheets, course lists, or change of grade forms and, in general should not be made available to faculty members or academic departments.
  11. When access is given to an individual's data (either electronic or paper), that access should be given only to the minimum information required for the specific use. In particular, access to social security numbers should be provided only for those applications where their use is mandated by law.
  12. The (tentative) HIPAA regulations concerning protected health information afford individuals within the University an appropriate level of privacy. It is the role of the University to ensure that the benefit providers with which the University deals are in compliance with these regulations. It is possible and even likely that the Bush administration will take steps to weaken these protections; nevertheless, the University should ensure that protected health information should not be disseminated unless the individual has originally consented to such dissemination (or use) and that when use or dissemination is permitted, only the minimum necessary information is disseminated.
  13. Protocols should be developed for use of directory information both within the University and by outside vendors (e.g., solicitations for class rings).
  14. University directory information should contain a statement that the information is provided only for legitimate University use. Use of the data should be monitored through the creation of fictive entries and the University should take action to ensure that the information is not used inappropriately. In particular, solicitations for credit cards should be closely monitored.
  15. Inform each student and employee(10), on an annual basis with an individualized mailing, of the ways that his or her personal information may be shared with organizations outside of the University and provide the individual with a card that can be returned to opt out of such sharing. This is particularly important when such information is used for telephone solicitations.
  16. The University of Pennsylvania is a very decentralized organization. Data bases are maintained by a large number of departments and units. In this environment the approach to privacy is piecemeal, unfocused and uncoordinated. To focus on the issues involving privacy, the task force recommends that the University appoint a Chief Privacy Officer (CPO). It seems to us that the CPO should be a member of the Office of Audit and Compliance although we are open to other suggestions.
  17. Among the responsibilities of the CPO should be the following: The CPO should be responsible, on a University wide basis, for ensuring compliance with FERPA and, on the University level (not UPHS) with HIPAA. Much of the work of the CPO would be educational, providing guidance to the University community on the appropriate use of personal information. The CPO would be responsible for monitoring the use of directory information as well as ensuring that students and employees are made aware of their right to opt out of having their information listed. The CPO would work closely with ISC in the design of a new student record system.

The University has made extraordinary progress in improving the physical safety of its students and staff during the past few years. Extensive resources have been allocated to this endeavor. It is now time to extend that effort to procedures that protect the University community from identity theft and other fraudulent activities. The recommendations articulated above provide an outline for initial activities toward that goal.

Task force members:

Jesse A. Cohn, Undergraduate Student, Wharton

Gene N. Haldeman, Undergraduate Admissions

Daniel Orr, Graduate Student, Annenberg

Gerald J. Porter, Professor, Mathematics, Chair

Susan Russoniello, Career Services

David S. Smith, Associate Professor, Anesthesia


Footnotes

  1. See Harris Equifax, Health Information Privacy Study (1993) www.epic.org/privacy/medical/polls.html
  2. The full University policy is available at www.upenn.edu/privacy/ .
  3. See www.upenn.edu/assoc-provost/handbook/v_a.htm
  4. These comments are based upon the rules published in the Federal Register (65 Fed. Reg. 82462). It is our understanding that the Bush administration is reviewing these rules and may substantially amend them.
  5. For a full text of these regulations see http://aspe.os.dhhs.gov/admnsimp.
  6. An interesting book on privacy is Database Nation by Simpson Garfinkel (O'Reilly 2000) from which this quote is taken.
  7. In Krebs v. Rutgers (797 F. Supp. 1246; 1992 U.S. Dist. LEXIS 11543) the federal district court of New Jersey enjoined Rutgers from printing social security numbers on class rosters and grade sheets when these materials were circulated. The court noted: "This practice allows any student to decode another student's grades, obtain a credit report, etc.
  8. Some of these recommendations have already been implemented by some departments in the University.
  9. Social Security numbers are no longer used as identifiers for Plan 100, PennCare, Blue Cross/Blue Shield 65 Special and Caremark (prescriptions) ID cards. The major providers who continue to use social security numbers are Keystone Health Plan East and Chickering (student health insurance).
  10. The Task Force believes that the procedures recommended in the report should apply equally to alumni records, where appropriate. We have excluded alumni records from our report since some members of the committee did not believe that alumni records were included in the charge to the committee.


Almanac, Vol. 47, No. 30, April 17, 2001

| FRONT PAGE | CONTENTS | JOB-OPS | CRIMESTATS | COUNCIL REPORTS: Task Force on Privacy; Communications Committee; Bookstores Committee | OF RECORD: Report of the Office of Student Conduct | TAT: A Community of Learners (A. Casciato) | TALK ABOUT TEACHING ARCHIVE | BETWEEN ISSUES | APRIL at PENN |