on Privacy Issues Related to
Social Security Numbers
2002, we wrote to the Penn community about the importance
protecting personal privacy at Penn and asked for help
in addressing one specific privacy risk--the unnecessary
use and display of Social Security numbers (SSNs). As we
recognized then, SSNs are often necessary as a way to identify
individuals uniquely and to fulfill legal requirements;
however, SSNs can also be used to commit identity theft,
which causes considerable harm to its victims. The Federal
Trade Commission recently reported that victims of identity
theft suffer losses of $4,800 on average and spend 30 hours
on average to address the problems the theft has created.
Also, as recent press reports have shown, hackers have
targeted information systems at colleges and universities,
including those containing personal information such as
are gratified to report that there has been an enormous
at Penn to change business processes, forms, and information
systems, to reduce the availability of SSNs and thus to
better protect the Penn community. We have seen changes
in the Penn's Way campaign, in the tuition reimbursement
program, in the way student grades are posted, and in forms
used by many schools, as well as in other areas.
we extend our efforts by announcing two new programs and
again asking the Penn community to assist in further reducing
identity theft risk. The first new program is the establishment
of privacy liaisons in Penn's Schools and centers. These
privacy liaisons serve as points of contact for privacy
questions or concerns in their School or center. The privacy
liaisons will also be working to raise privacy awareness
and to apply risk reduction strategies. Second, we are
establishing a more detailed SSN Action Plan for use by
the privacy liaisons and by other members of the Penn community
who can assist in our joint effort.
SSN Action Plan and the list of Privacy Liaisons are below.
Conn, Deputy Provost
Whitfield, Vice President for Audit & Compliance
Plan Regarding the Privacy of Social Security Numbers
actively phasing out the use of SSNs in student, personnel,
and other records whenever
possible. Schools and centers should review and apply
the steps outlined below periodically to minimize identity
theft risks to our community, without unduly compromising
Penn's mission of providing superior education, research,
and service. This plan, and all of the documents referenced
in it, are all available at www.upenn.edu/privacy.
to the privacy liaisons is to coordinate implementation
of the following:
Awareness Regarding Privacy Issues and
Penn's privacy-related awareness
tools, such as Focus on Privacy: Questions and
Answers about the Privacy of Student Records, Penn's Statement
of Goals Regarding Social Security Numbers, and this Action
Plan, and use such tools to raise awareness with appropriate
audiences. More specifically, identify people in your unit
who have access to personal information and provide them
with relevant written guidance. In addition, to request
in-person training sessions, contact the University's Chief
Privacy Officer at firstname.lastname@example.org.
Social Security Numbers in Information
local information systems to determine where SSNs are
collected by your unit, including
extracts from central systems. Analyze whether there
is a need for such SSNs or whether PennIDs could be used
in their place. Information Systems and Computing's Office
of Data Administration, (215) 898-2173, is available as
a resource to assist in such conversion. Further,
a survey tool will be distributed in the coming weeks to
help identify and evaluate SSN risks in information systems.
3. Where there is a sufficient need to
collect and maintain SSNs:
a. Ensure that you adhere to Penn's
Critical Host Policy by registering machines holding SSNs
and applying the strong security standards set forth
in that policy.
b. Where possible, configure systems to allow
searches via name, PennID, or other criteria instead of
c. Mask the
first five (5) digits of the SSN where possible so that
only the last four (4) digits
4. Avoid using the SSN as the ID or password
for access to information systems where possible.
Social Security Numbers in Paper Documents
forms created and/or used by your unit to determine if
SSNs are requested. Where there
is a need to collect a unique identifier, evaluate whether
PennIDs can be requested in place of SSNs. If PennIDs cannot
be effectively used, consider whether the forms can request
only the last four digits of an individual's SSN.
6. Assess whether paper files containing
SSNs are being stored unnecessarily and are appropriate
for destruction under Penn's Guidelines for the Destruction
of Confidential Records. A Summary of Records Destruction
Guidelines can assist in this activity.
it is necessary to maintain SSNs in hard copy, keep such
documents secure from unauthorized
access by using locked cabinets or implementing other mechanisms
to restrict unauthorized physical access.
Social Security Numbers and Personnel
operational practices to restrict SSN access only to
individuals with a need to know such
information for legitimate Penn activities. Consider
whether it is necessary to give temporary workers access
to personal information.
Social Security Numbers and Third Parties
9. In negotiating
agreements with vendors, evaluate what identification
system the vendor is using
and analyze the feasibility of using a system other than
one based on SSNs.
10. In signing agreements with vendors,
include language, working with the Office of General Counsel,
that eliminates or limits use and disclosure of SSNs and,
as applicable, provides for confidential treatment of SSNs.
Liaisons in Schools and Centers
updates see www.upenn.edu/privacy/resources.htm)