1 The University of Texas at Tyler Protecting the Confidentiality of Social Security Numbers UTS165 Information Resources Use and Security Policy

2 What is the purpose of this training?  This training is to provide general information about the confidentiality of social security numbers (SSNs) and the provisions of UT System Information Resources Use and Security Policy (UTS165).

3 What will you learn in this training?  You will learn about some of the key requirements of UTS165 and how those requirements will affect your work.  Detailed information about using SSNs in your job duties will be provided by your department on an as-needed basis.

4 Why do we have UTS165?  To increase awareness of the confidential nature of the SSN.  To reduce the reliance on the SSN for identification purposes.  To establish a consistent approach toward SSNs throughout UT Tyler.  To ensure that UT Tyler handles SSNs in a confidential manner.

5 Why all the concern about SSNs?  Numerous Federal and State laws govern the disclosure and use of SSNs. Some of these laws are summarized at the end of this training.  Increased reliance on electronic information systems that use SSNs as the primary identifier has raised the risk of identity theft involving SSNs.

6 What does UTS165 require?  UTS165 contains procedures to: 1.Reduce the use and collection of SSNs 2.Inform individuals when SSNs are collected 3.Reduce the public display of SSNs 4.Control access to SSNs 5.Protect SSNs 6.Establish accountability

7 What must I do to comply with UTS165?  UTS165 provides for a phased compliance timeline. Certain actions must be taken immediately; other actions must occur by specified future dates.

8 What actions must be taken immediately?  Except when UT Tyler is legally required to collect an SSN, an individual cannot be required to disclose his or her SSN or be denied service for refusing to disclose the SSN.

9 What actions must be taken immediately?  The notice required by the Federal Privacy Act must be given each time UT Tyler requests disclosure of an SSN. Sample approved notices are in Appendix 3 to UTS165 and on UT Tyler’s website. The SSN Coordinator can assist you in preparing a notice for your particular needs.

10 What actions must be taken immediately?  In addition to the Federal Privacy Act notice, State law requires an additional notice whenever we collect SSNs or other personal information by means of a paper or an electronic form. Your supervisor or the Information Security Officer can help with formulating this notice, too.

11 What actions must be taken immediately?  Grades may not be publicly posted with all or any portion of the SSN.  Records and media (disks, tapes, hard drives, etc.) containing SSNs must be discarded in a way that protects the confidentiality of the SSN. For example, paper records should be shredded and hard drives should be formatted.

12 What actions must be taken immediately?  All new systems must comply with the standards contained in UTS165. Before acquiring or developing new systems, contact your information technology department and the Information Security Officer.

13 What actions must be taken immediately?  Each employee must promptly report inappropriate disclosures of SSNs to his or her supervisor, who is to report such disclosures to the Information Security Officer.

14 What actions must be taken immediately?  Each employee must comply with the rules of conduct that implement UTS165. Failure to do so may result in disciplinary action, including discharge or dismissal.

15 What actions must be taken immediately? 1.Access to records containing SSNs are to be limited to those employees who need access for the performance of job duties. 2.Records with SSNs should not be stored on computers or other electronic devices that are not secured against unauthorized access. 3.SSNs should be shared only with authorized third parties. A written confidentiality agreement should be used.

16 What actions must be taken immediately? 1.SSNs are not to be displayed on documents that can be seen by the general public (e.g., time cards and rosters) unless required by law. 2.Mailed materials containing SSNs should be designed so that SSNs do not show in the envelope window. 3.SSNs are not to be sent over the Internet or via unless encrypted or otherwise secured.

17 What other actions are required? As of September 1, 2007: 1.The use of the SSN as a primary identifier must be discontinued. 2.A unique identifier must be assigned to each individual. 3.Additional State law limitations on the use of SSNs become effective.

18 So what does all of this mean to you in your daily work? 1. If you need access to SSNs to do your job, you will have that access. SSNs are needed for a variety of reasons. For example, Federal law requires UT Tyler to obtain an SSN from each employee, to submit SSNs to the Federal government for tax credits for college courses, and to obtain SSNs from applicants for Federally- supported financial aid.

19 So what does all of this mean to you in your daily work? 2. If you use SSNs in your work, always ask: “Why do I need the SSN?”. Often the answer will be that it’s simply the way we have always done things or it’s a matter of convenience. But, there are other ways to verify a person’s identity or locate an individual’s record.

20 So what does all of this mean to you in your daily work? 3. If you request that an individual give you his or her SSN, remember that you must provide the Federal Privacy Act notice. You must give that notice regardless of whether you are assisting someone in person or over the phone or whether the person is completing a paper or electronic form.

21 So what does all of this mean to you in your daily work? 4. If an individual refuses to give you his or her SSN, remember that you cannot refuse to provide the requested services unless the SSN is required by law. Consider, too, that an individual who refuses to voluntarily disclose his or her SSN may be doing so out of concern over identity theft, so it will reflect well on you and your office to find a way to work around the problem.

22 So what does all of this mean to you in your daily work? 5. Be aware of the presence of SSNs on paper documents and computer systems and take care to be sure that such records are properly secured and discarded. If you discover that SSNs have been improperly disclosed, notify your supervisor immediately.

23 So what does all of this mean to you in your daily work? 6. Follow these rules: a.Do not request an SSN unless it is necessary and relevant to your job duties. b.Do not disclose SSNs to unauthorized persons or entities. c.Do not use another person’s SSN to your own personal advantage. d.Observe all administrative, physical, and technical safeguards.

24 What are the relevant laws?  There are many laws that protect an individual’s privacy, some of which deal specifically with SSNs, and others that deal with protected health information or other personal or financial information. A summary of key provisions of some of the laws appears on the following pages. More detailed information about these laws and other privacy laws will be provided at the departmental level as needed for the employee’s job duties.

25 What laws are summarized in this training?  Federal Privacy Act of 1974  Social Security Act  Family Educational Rights and Privacy Act  Texas Public Information Act  Texas Business and Commerce Code §  Texas Government Code §

26 Federal Privacy Act of 1974  A government agency cannot deny to any individual any right, benefit, or privilege provided by law because the individual refuses to disclose his SSN, unless Federal law requires its disclosure. (Section 7 of Pub. L in Historical Note, 5 U.S.C. § 552a)

27 Federal Privacy Act of 1974  A government agency must provide a disclosure notice each time the agency requests an individual’s social security number. The notice must state (1) whether the disclosure is mandatory or voluntary, (2) by what authority the SSN is required, and (3) what use will be made of the SSN. (Section 7 of Pub. L in Historical Note, 5 U.S.C. § 552a)

28 Social Security Act  Anyone who discloses, uses or compels disclosure of an SSN in violation of the laws of the United States is guilty of a felony punishable by a fine or imprisonment up to five years or both. (42 U.S.C. § 408(a)(8))

29 Social Security Act  An SSN obtained or maintained by a governmental entity pursuant to any provision of law enacted on or after October 1, 1990, is confidential and may not be disclosed. (42 U.S.C. § 405(c)(2)(C)(viii)(I))

30 Family Educational Rights and Privacy Act  Disclosure of a student’s confidential information, including the SSN, without written consent, is prohibited, unless the disclosure falls within a specified exception. (20 U.S.C. § 1232g)

31 Texas Government Code §  Each time a State agency collects personal information by means of a paper or electronic form, the agency must notify the individual that he or she is entitled to (1) request to be informed about information collected about the individual, (2) receive and review the information, and (3) have the agency correct incorrect information.

32 Texas Public Information Act  Each State employee must choose not later than the 14 th day after employment begins whether to allow public access to personal information, including the individual’s SSN. (Texas Gov’t Code § )

33 Texas Business & Commerce Code §  Effective March 1, 2005, the display of an individual ’ s SSN on a card or other device required to access a product or service is prohibited.

34 Texas Business and Commerce Code §  Effective September 1, 2007, additional restrictions on the use of SSNs will apply to institutions of higher education. Please refer to the above- cited section of the Texas Business and Commerce Code for details.

35 How can you find out more?  Read UTS165.  Read the related rules of conduct.  Ask your supervisor.  Ask the Information Security Officer, Ms. Diane Garrett. For UTS165 and more information on SSNs go to this website:

36 UT Tyler’s Disciplinary Procedures: u Failure to follow compliance guidelines may result in disciplinary action including: departmental counseling, formal disciplinary action, suspension or termination.

37 Test Your Knowledge Following are several questions to test your knowledge of the information presented. Answer all questions correctly to receive credit for the training.

38 Question #1 UTS165 contains several procedures regarding SSNs, including reducing the use and collection of SSNs, informing individuals when SSNs are collected, and protecting SSNs. TRUE FALSE

39 REVIEW

40 Question #2 An individual cannot be required to disclose his or her SSN or be denied service for refusing to disclose their SSN unless UT Tyler is legally required to collect their SSN. TRUE FALSE

41 REVIEW

42 Question #3 The notice required by the Federal Privacy Act must be given to the individual each time UT Tyler requests disclosure of their SSN whether over the phone, in person, or on a paper or electronic form. TRUE FALSE

43 REVIEW

44 Question #4 You should be aware of and take measures to properly secure and discard Social Security Numbers on forms, in files, and on computer systems. TRUE FALSE

45 REVIEW

46 Congratulations… You have completed your training on Protecting the Confidentiality of Social Security Numbers. The University of Texas at Tyler General Compliance Training

47 The Training Post An Educational Computer Based Training Program CBTCBT