Social Security Numbers (SSNs) are data of High sensitivity. Their unauthorized disclosure could cause significant harm to individuals and the university, so it is important to protect them appropriately.
The following guidance describes how to comply with Social Security Number Privacy and Protection (DS-10).
General Guidelines for Working with SSNs
- Only collect or communicate SSNs when needed for a specific business purpose that cannot be met without the use of SSNs.
- Do not use SSNs as account numbers or identifiers for individuals.
- Collect, process, and store SSNs using only services approved for SSN. Refer to the Sensitive Data Guide entry about Social Security Numbers (U-M login required).
- Limit access to SSNs to those who must use them for the specific purpose for which they were collected.
- Properly dispose of SSNs in electronic or physical format when they are no longer needed.
- Never disclose an individual’s SSN to an entity outside the university, unless required by law or after obtaining consent from the individual.
- Do not display SSNs or leave them in public view.
- If you need to store or access SSNs on a personally owned device, be sure to consult with ITS Information Assurance via the ITS Service Center.
- If you are aware of unauthorized disclosure, loss, or theft of SSNs from U-M records or record systems, report it as an IT Security Incident.
Best Practices for Using SSNs with Approved Services
The Sensitive Data Guide entry for Social Security Numbers (U-M login required) lists a number of services that can be used to store and transmit SSNs. Even with approved services, note that:
- SSNs should not be stored in an individual's files or folders.
- SSNs should be stored in a team's file or folder with access limited to the team members with a business need for that data.
- SSNs are deleted when no longer needed or when transferred from a collection system (e.g., DropBox) to appropriate storage systems (e.g. PeopleSoft).
If You Receive an SSN
In the event you receive a communication with SSNs, you should:
- Record the SSN in a secure location as listed in the Sensitive Data Guide.
- Delete the email, attachment, or voicemail as soon as it's no longer needed. Destroy or securely file any paper copies.
- If you received the SSN from a U-M sender via an insecure communication method, direct the sender to this webpage and ask that they use a secure communication method in the future.
If you have questions about transmitting or storing SSNs, contact ITS Information Assurance through the ITS Service Center.