SSN Removal

This page is intended as a guide to resources for removing Social Security Numbers (SSNs) from UGA systems and processes.

Senior Vice President Memo and Other Communications

The following announcements have been sent out regarding the Social Security Number (SSN) elimination initiative:

• 2011 Memo from the Sr. Vice Presidents to Vice Presidents, Deans, and Department Heads. Subject: Elimination of Use of Social Security Numbers (SSNs)
• 2009 Memo from the Sr. Vice Presidents to UGA Leadership. Subject: Social Security Number Replacement

Legal Requirements and University Policies

Due to the increasing threat of identity theft and fraud, State and Federal governments have created privacy laws and the University of Georgia has adopted internal policies that require the security and privacy of an individual's Social Security Number.

It is unlawful to ...

• Publically post or display the SSN (OCGA 10-1-393.8)
• Require an individual to transmit his/her SSN unless the connection is secure or the number is encrypted (OCGA 10-1-393.8)
• Require an individual to use his or her Social Security number to access an Internet site unless a unique password or PIN is also required (OCGA 10-1-393.8)
• Electronically transmit (e.g. e-mail, FTP, etc.) the SSN of a resident of some States (e.g. California, Massachusetts, and New York) unless the SSN is encrypted(FTC)
• Fail to notify a citizen of Georgia of any breach of the security of a system that allowed unauthorized access to his/her SSN information and other identifying information (OCGA 10-1-910)

It is a violation of University policy to ...

• Transmit the SSN in e-mail unless the data is encrypted(Email Policy)
• E-mail SSN(s) to outside parties without prior authorization (Email Policy)
• Store SSN(s) on computers without protecting it appropriately (Policies on the Use of Computers)
• Permit an unauthorized individual access to SSN data (Privacy Policy)
• Print the SSN on any card required to access services (Privacy Policy)
• Establish a new process that requires printing of SSN on mailed materials unless required by a state or federal agency (Privacy Policy)
• Collect SSN data via a website without posting a link to the University Privacy Policy (Privacy Policy)

University guidelines advise against ...

• Collecting, storing or processing SSN data unless there is a need to do so
• The transmission of SSN information over public networks without encryption
• Retention of SSN data beyond its useful life
• Storing SSN data without encryption

Partial Social Security Numbers

Although storing and processing partial SSN data (e.g. just the last four digits of a SSN) can reduce the risk of identity theft to an individual, residual risks do remain in instances where partial SSNs are used in conjunction with other identifying information such as address or birthplace.

Many laws and UGA policies--including OCGA 10-1-393.8, OCGA 10-1-910, and the UGA Privacy Policy as referenced above--still apply to instances where partial SSN data is stored/processed/transmitted. Consequently, partial SSN data are included in the scope of UGA's SSN elimination initiative.

SSN Removal from Paper Records

The focus of UGA SSN elimination has been placed on the removal of SSNs from information systems and business processes. Business processes that include the active use of SSNs in paper documents are therefore in the scope of the UGA SSN elimination efforts.

Archived paper records that are not currently used in a business process have been out of scope for these efforts, but it is the recommendation of the Office of Information Security to destroy or redact these documents if feasible (see Records Retention section below). If you these documents do need to be retained without redaction, ensure that they are stored in a secure fashion.

SSN Removal and Records Retention

The University of Georgia retains paper and electronic records in accordance with the University System of Georgia Records Retention Schedules Schedules based on the requirements of the Georgia Records Act (O.C.G.A. 50-18-90 et seq.).

It is the position of the University of Georgia that it is lawful and permissible to redact Social Security Numbers from archived electronic or paper records for the purposes of identity protection. Any sensitive records which are not required by law or policy for retention should be securely destroyed.

• University System of Georgia Records Retention Schedules

IDM Translation Tools

The following tools are currently available to assist with SSN conversion to alternate ID numbers.

• Web interface to translate SSN to CAN or MyID
• Database for this translation
• Web Connector to automate the process of translation from SSN to CAN
• Web interface to verify users over the phone without using SSNs

For the latest updates, please visit the ID Management website.

SSN Discovery Guides

• SSN Discovery for Staff and Faculty