REG 01.25.11 – Process for Requesting Access to Social Security Numbers

Authority: Issued by the Chancellor. Changes or exceptions to administrative regulations issued by the Chancellor may only be made by the Chancellor.

History: First Issued: August 9, 2005.

Related Policies:
UNC Policy 1300.5[G] – Guidelines on Use of the Social Security Account Number by the University
NCSU REG08.00.02 – Computer Use Regulation
NCSU REG08.00.03 – Data Management Procedures

NCSU REG11.00.01 – Family Educational Rights and Privacy (FERPA)

Additional References:
Confidentiality of Computer Data at NC State
Federal Privacy Act of 1974
Family Educational and Privacy Rights §1232g 
Electronic Code of Federal Regulations
Information Security Acknowledgement Form
Management Team Members

Contact Info: Associate Vice Chancellor for Resource Management and Information Systems (919-515-9224)


1.  BACKGROUND

1.1  Campus Identification Number

Completion of the University’s social security number (SSN) replacement project eliminated the need to use SSN in most University business processes.  A Campus Identification Number (CID) is now used to identify students and employees.  In most cases, the CID will be student ID for students and HR employee ID for employees.

1.2  Continued Use of Social Security Numbers

The availability of the new Campus identifier does not eliminate the use of the SSN.  There are University business processes in which the collection and reporting of SSN is required by law, or is otherwise deemed to be in the best interest of the student, the employee, or the University.  Examples of these processes include the following:

1.2.1  The reporting of taxpayer information to the IRS and state tax withholding agencies.

1.2.2  The administration of employee benefits, including: Health Insurance, Retirement Accounts, NC Flex, and others.

1.2.3  The administration of Federally-funded Financial Aid

1.2.4  Compliance with the reporting requirements of the USA Patriot Act (SEVIS)

1.2.5  North Carolina’s Department of Public Instruction teacher certification process

1.2.6  The National Student Loan Clearinghouse loan deferment process and Student Status Confirmation Report (SSCR) for the U.S. Department of Education

1.2.7  The ROTC tracking and security clearance process

1.2.8  The issuing of 1098-T and other tax documents

1.2.9  The employment of Graduate Teaching and Research Assistants

1.2.10  Determination of exemption from Social Security and Medicare tax (FICA) withholding for students employed by the University.

1.3  Verification of Identity

Most valid uses of SSN data have been identified and accommodated; however, new requests for access continue to arise.  In most cases, business processes that once relied upon the SSN can be re-engineered to use alternative identifiers.  A Campus ID (CID) crosswalk table has been created to allow campus units that are involved in applications development to use a single source for resolving user identities.  This centralized source of data will provide tighter security and will eliminate replication of this data across the campus.  Requests for access to the Campus ID (CID) web application or data should be made via ASAP (Automated Security Access Process).  If SSN access is being requested via CID, a detailed description for the access must be included with the request as indicated in Section II below.

2.  ACCESSING STUDENT AND EMPLOYEE SSN

Social security numbers are data elements in two primary data systems: specifically, the Student Information System (SIS) and the Human Resources System (HR). Both systems have data stewards assigned that are responsible for control of their data.  The data steward for the SIS is the University Registrar, while the Director of Human Resources Information Management is responsible for HR. Each system has a Steering Team that is composed of representatives from key constituencies across campus.  The steering teams for both systems report to a single Management Team composed of senior level management officers appointed by the Vice Chancellor of Finance and Administration in consultation with the Provost.  This team structure is charged with ensuring the continuing operation and efficient use of these administrative systems.

2.1  Access to Student SSN

2.1.1  Access to a student’s SSN will be restricted, unless approved by the Integrated Student Information Systems (ISIS) Steering Committee.

2.1.2  Requests for exceptions for the use of SSN must be submitted in writing to the University Registrar.  Requests must describe, in detail, the reason the SSN is required and how it will be used and have documented support of the Dean, Vice Chancellor, or Vice Provost to whom the business unit of the requestor reports.

2.1.3  Upon initial review and consultation with appropriate parties, the University Registrar will submit the request to the ISIS Steering Committee for review and approval/recommendation.  Requests that do not have a majority of consensus will be submitted to the Management Team for review and then to the Provost, Vice-Chancellor of Finance and Administration, and the Vice Chancellor and Dean of Academic and Student Affairs (DASA), if necessary.  The ISIS Steering Committee Chair is responsible for responding to the requestor regarding the decision on the request.

2.1.4  Denied requests may be appealed in writing directly to the Management Team, provided the appeal has the endorsement of the Dean, Vice Chancellor, or Vice Provost of the unit making the appeal.

2.2  Access to Employee SSN

2.2.1  For access to an employee’s SSN, written requests must be submitted to the Director of Human Resources Information Management.

2.2.2  Requests must be in writing and describe, in detail, the reason the SSN is required and how it will be used.  Requests must have documented support of the Dean, Vice Chancellor, or Vice Provost to whom the business unit of the requestor reports.  The responsible data steward will review the request, consult with other appropriate parties as needed, make a decision and communicate that decision to the Management Team.  If alternatives other than use of the social security number will satisfy the requestor’s need, the request to use social security number will be denied.  If the Management Team supports the decision, the data steward will communicate the decision to the requestor.  The Management Team can rescind the data steward’s decision, or request Additional Information.

2.2.3  Denied requests may be appealed in writing directly to the Management Team, provided the appeal has the endorsement of the Dean, Vice Chancellor, or Vice Provost of the unit making the appeal.