When did the University adopt this policy?

The SSN/PII Policy was adopted January 2009.

How does the SSN/PII Policy differ from previous policies?

The University’s previous Information Technology Policy has been updated to include a data classification section. It defines the categories of Legally Restricted, Confidential, Internal University Use Only, and Public, and describes generally the level of protection each must receive. HR Policy 108 also requires University employees to protect confidential information.

The new SSN/PII policy has been created to provide additional guidance on these types of Legally Restricted data and how they may be collected, maintained, and destroyed. It prohibits a number of specific uses that have a high potential for disclosure.

Why do we need the SSN/PII Policy?

The reasons for this Policy are to prevent identity theft through unauthorized use of an individual’s SSN and/or PII and to comply with New York law. New York law mandates reporting to State agencies and to the individuals affected, whenever a social security number (SSN) is disclosed in a manner not in compliance with law. New York law places specific restrictions on how an individual’s SSN and Personal Identifying Information (PII) may be acquired, used, stored and communicated.

Who do I contact if I have questions about the policy or registration process?

Please email your questions and comments to SSNRegistry@rochester.edu.

Am I still permitted to record Social Security Numbers (SSN)?

Yes, if it is needed for a current business purpose and you are recording SNN in a data collection that has been registered.

If you are planning to create a new data collection containing SSN, consult with a University Privacy Officer first.

Which data collections need to be registered?

Registration is required for collections that contain:

  • Whole SSN in the collection
  • Partial SSN (last four digits or some other part)

Registration is not required for collections that contain:

  • No partial or whole SSN
  • Employee PII information but no SSN

Why do I need to complete the SSN/PII Form?

The purpose of this form is to inform University risk managers of storage practices for restricted data types in all areas of the University. This information will be used to direct educational and risk reduction efforts to those situations that present the most significant reputational and financial risks to the University.

Does the SSN/PII Policy or related IT and record retention policies apply to affiliate organizations of the University (e.g. Highland Hospital, Visiting nurse service, etc.)

None of these policies apply directly. The affiliates will adopt and follow their own policies, which will be similar to these University policies.

Do I have to look through all of my email for SSN?

You need to consider all of your email. If you have been following a consistent email filing practice, you may have very few places that you need to look through. For example, you may have received SSNs only in the course of performance evaluations or wage & salary programs and have filed all such email in one folder. Within those places, first look at your received and sent email that contain attachments.

If any contains SSN, consider whether you can now delete the attachment or the whole email, perhaps because you can rely on another office to maintain the primary copy of the same information. Then, apply the same process to message text in those email folders that are likely to contain SSN.

Do I have to look through all of my paper or electronic files to find all documents or records containing SSN?

As with email (see above), you need to consider all of your files. Pay particular attention to collections of forms. Note that forms may have changed over the years and that older forms may have invited or required entry of SSN while newer forms may not.

If I receive an e-mail containing someone's social security number (SSN), does that make me a custodian?

If you keep that e-mail, you will be creating a data collection containing SSN that you will have to register.

If you forward and delete the e-mail, make sure that you don’t retain a copy in a “sent mail” folder. Printing out and deleting the e-mail won’t solve your problem.

If you retain someone else’s SSN in any medium in any location under your control, you are creating a data collection that you must register.

I have paper records containing social security numbers (SSN) that I plan to retain. Is it safer to retain them in paper or to scan them to digital form and shred paper?

Each data collection kept in a different place under different security controls creates more risk of inadvertent disclosure. If your proposed conversion from paper to digital eliminates a confidential data storage location and if the digital copies will be stored in a previously existing secure storage location, then you probably will reduce the University’s overall risk. Contact your IT security support team for an assessment.

How do I make sure that SSN is secure when I send it electronically (e.g. email, file transfer)

First, consider whether you need to continue sending SSN at all. Every time you send SSN, you are making a copy that needs to be protected in transit and at its destination. Review with your privacy officer whether there might be a different workflow that would allow SSN to stay where it is and be viewed securely by authorized persons.

If you must send SSN, follow these guidelines for secure communication:

Communication across the following data networks is considered adequately secure for SSN and other Legally Restricted Information:

  1. University wired data networks
  2. University wireless data networks named UR_Connected, UR_RC_InternalSecure, or UR_MCwireless.

Communication across all other networks, especially across the Internet outside the University, requires additional security measures, such as:

  1. Https – the secure communication mode for Web browsers
  2. Sftp and Scp – secure file transfer software
  3. Virtual Private Networking (VPN) provided by University IT and URMC ISD
  4. Secure Email Service (currently available only to URMC e-mailboxes)
  5. Encrypted .zip archives

For assistance with any of these security measures, contact the IT Center or the URMC ISD Help Desk.

If I want to retain a paper record that contains an SSN but I don't need the SSN, can I just black out the SSN and retain the record without registering it?

Possibly. If you make the SSN unreadable and unrecoverable from that record, you do not need to register the record.

What is considered a sufficient method of redacting SSN in paper forms? A permanent ink marker?

To be certain, you might have to cut out and shred the SSN. A permanent ink marker might be sufficient. You would need to hold the form up to a light to see whether the marker has made the SSN completely unreadable.

Be aware that copy machines and fax machines can highlight very subtle differences in color density, possibly revealing SSNs that have not been thoroughly blacked out or that have been blacked out with a different type of ink.

What do we do with old paper payroll documents, such as payroll reporting "green sheets"?

The departmental green or blue copies of payroll sheets, used before the PeopleSoft HRMS system, should be shredded ASAP. The Payroll and Employment Records Center has already shredded the paper originals.

What do we do with old W-9 forms?

There is no need for departments to retain W-9 forms. When W-9 forms are required, they should be completed and sent to University Finance immediately. Any W-9 copy currently held by a department should be shredded ASAP. See also the Finance policy on payments to study subjects.

Are ITINs (Individual Taxpayer Identification Numbers) to be treated the same as SSNs?

ITINs typically are formatted like SSNs, are entered into the same data collection fields as SSNs, and are used for tax reporting purposes. When in doubt, treat ITINs like SSNs. Unless you are certain that a given data collection contains ITINs and no SSNs, now and in foreseeable future additions to that data collection, you should register the data collection.

If I have both electronic and paper copies of the same data, do I have to register one data collection or two?

Two data collections, because they are on different media. Typically, different media have different access control mechanisms that will need to be evaluated. You may wish to consider whether you can properly dispose of one of the copies in order to avoid having to register that collection.

Is a separate registration form required from each staff member in our department, or just one from our manager?

If each staff member controls access to a separate collection containing SSN, for example, a set of personnel files containing SSN that the staff member keeps locked in his or her desk, then that staff member must register that collection.

Alternatively, if staff members return personnel files to a central storage location in the office at the end of the business day, then only the manager would need to complete a registration for that central collection. If staff members do their work within a storage location that is locked at the end of the business day, the contents of that location might be considered a single collection.

Contact your privacy officer for an evaluation of atypical storage situations.

We keep a database containing SSN on a file server. Who is the custodian who will have to register that data collection?

To determine who the data custodian might be, look for the person who decides who is permitted access to the smallest or lowest level container that secures access to the data. For example, if the data is in an unencrypted Access database sitting in a file share, then the person who decides who has access to the file share is the custodian of that database. On the other hand, if the database is encrypted, the person who decides who is given the decryption key or password is the custodian.

The system administrator of a multi-file-share server typically would not be a data custodian under this policy, because that person is not deciding who is authorized to access each file share.

Do I have to register collections containing SSN that are maintained for UR by a business partner under contract to UR?

Yes. The UR employee who is responsible for monitoring the contract is the custodian for that data collection under this policy.

Do I have to register collections containing SSN that are maintained by non-UR persons or organizations to which UR is required to contribute data, but not under contract to UR?

No, you are not required to register.

The University requires us to collect SSN during clinical trial registration for payment purposes. Do I have to register all of these study participants?

University Finance policy on payments to study subjects requires that a W-9 form, including SSN, be completed and immediately sent to Finance when total payments to a study participant for the year for a given study reach $275 or more.

Copies of W-9 forms should not be retained by the research study or department. If a study has been authorized to collect SSN for purposes other than payment, that collection of SSNs must be registered.

Who needs to register a collection of paper medical records that move from a physician's office to an ambulatory department?

The custodian of the collection in the physician’s office might be the physician or the office manager. The custodian at the ambulatory department might be the administrator of that department. Although the specific patient files held at each of those locations may change over time, the ongoing existence of a collection of patient files at each location must be registered.

Do I have to register the fact that I receive prospective student folders (that contain SSN) for short periods of time and then hand these back to enrollment services?

No, if you hand these back by the end of the business day. If you routinely keep a (possibly changing) set of such folders in your possession, you must register this collection.

Do I have to sign my registration form? How do I do that?

By completing all elements of the registration form and e-mailing it from a University e-mail address SSNRegistry@rochester.edu, you are attesting to the accuracy of the information. No other electronic confirmation or signature is required.

The policy information says we have to state who has access to the collection. Where should that be entered on the registration form?

The form currently includes only Part 1 of the registration. When the Privacy Officer follows up with you on Part 2 of the registration, you will be asked for this information.

What are examples of employee Personal Identifying Information (PII)?

NYS labor law section 203-d, effective 1/3/09, defines employee PII as

  • social security number
  • home address or telephone number
  • personal electronics mail address
  • Internet identification name or password
  • parent’s surname prior to marriage
  • drivers’ license number or nondriver identification number

Am I allowed to keep employees' home telephone numbers?

Yes. However, the NYS Employee Personal Identifying Information Law effective 1/3/09 prohibits the University or any employer from making an employee’s home telephone number (and several other kinds of PII) available to the general public.

Are University-issued employee ID numbers or University ID numbers considered employee PII under NYS law or Legally Restricted Information under the University IT Policy?

No, not as this time. These numbers should be treated as “Internal University Use Only”.

Are University email addresses considered employee PII?

No they are not considered PII.