1602 Protecting the Security and Confidentiality of Social Security Numbers

Responsible Official: 
Controller
Responsible Office: 
Controller's Office
Effective Date: 
October 1, 2008
Revision Date: 
October 1, 2008

Scope

This policy applies to all faculty and staff.

Reason for the Policy

The purposes of this Policy are to protect the security and confidentiality of Social Security numbers held by the University for business or legal purposes and to comply with Connecticut law.

Policy Sections

1602.1 Collection, Use, and Disclosure of Social Security Numbers

The University shall collect Social Security numbers from individuals only when legally required to do so or when essential for the conduct of University business. Access to Social Security numbers collected for these purposes shall be limited to those employees who require such access in connection with their job duties. University employees may not disclose Social Security numbers that they have obtained from University records, except when legally permitted and essential for the conduct of University business.

1602.2 Security of Social Security Numbers

Paper records containing a Social Security number must be stored in locked drawers, filing cabinets, or storage rooms and may not be left unattended while in use. Paper records containing a Social Security number may not be removed from the University offices where they are used, unless University business requires that they be transferred to another secure office. Unencrypted electronic records containing a Social Security number may be stored only on University servers that meet the highest security standard maintained by Information Technology Services. Electronic records containing a Social Security number may be stored on other electronic devices only if the records or the storage drives are encrypted. 

Any University employee who learns that a record containing a Social Security number has been lost or stolen or has been subject to unauthorized access must report the incident to the Office of the General Counsel as soon as practical.

1602.3 Remediation of Existing Records Containing Social Security Numbers

University employees are responsible for identifying records in their possession that contain a Social Security number.  Whenever such records are identified, (i) the records must be stored in compliance with Sections 1602.1 and 1602.2 of this Policy; or (ii) the Social security numbers must be removed or masked; or (iii) the records must be shredded or electronically destroyed.

1602.4 Social Security Numbers in Archival Material

University personnel files and student records held by University Archives may contain Social Security numbers.  Such records will be held in a secure storage facility and will not be available to researchers for 75 years from the date the employee or student leaves Yale. Before such records are made available to researchers, they will be reviewed, and Social Security numbers will be masked or removed to the extent it is reasonably possible to do so. 

Other University administrative records held by University Archives may also contain Social Security numbers.  Such records will be held in a secure storage facility and will not be available to researchers for at least 35 years from the date the record was created. Before such records are made available to researchers, they will be reviewed, and Social Security numbers will be masked or removed to the extent it is reasonably possible to do so. 

Researchers seeking access to records created in the United States after 1935 and held by a Yale administrative or scholarly archive must sign an agreement stating that they will not record, reproduce, or disclose any Social Security numbers found in the records they seek to view.  

1602.5 Disciplinary Procedures

Alleged violations of this Policy will be pursued in accordance with the appropriate disciplinary procedures, as outlined in the Faculty Handbook and the Staff Personnel Policies and Practices Manual, and other applicable materials. Staff members who are members of University-recognized bargaining units will be disciplined for violations of this Policy in accordance with the relevant disciplinary provisions set forth in the agreements covering their bargaining units.

Roles and Responsibilities

Office of Vice President and General Counsel

Responsible for establishing this policy to comply with Connecticut law and to be notified of any potential violations of this policy.