Handbook of Operating Procedures > Series 200 General Policies and Procedures > 2.6.1 Confidentiality of Social Security Numbers

2.6.1 Confidentiality of Social Security Numbers

A.  Purpose

The purpose of this document is to set forth the rules of conduct adopted by the University of Texas at Tyler (UT Tyler) and the University of Texas Health Science Center at Tyler (UTTHSC) (collectively the “University”) to implement UT System Policy 165, Information Resources Use and Security Policy ("UTS 165"). An employee of the University who fails to comply with these rules of conduct may be subject to appropriate disciplinary action, including discharge or dismissal in accordance with the policies and procedures of the University..

B.  Persons Affected

These rules of conduct are applicable to all employees and students at the University.

C.  Definitions

Employee: Any person actively employed for wages or salary at the University.

D.  Policy and Procedures

This policy has been adopted in accordance with UTS 165. Please refer to UTS 165 for additional specific details and requirements.

As stated in UTS 165, it is the policy of the University to protect the confidential nature of social security numbers without creating unreasonable obstacles to the conduct of the business of the University.

1. Employees and students shall comply with the provisions of UTS 165, including Standard 13, and related University policies and procedures.
2. The University shall limit access to records containing SSNs to those employees who need to see the number for the performance of the employees' job responsibilities.
3. Employees may not request disclosure of a social security number if it is not necessary and relevant to the purposes of The University and the particular function for which the employee is responsible.
4. When social security numbers are required and collected, the University shall provide individuals with notice as required by Section 7 of the Federal Privacy Act of 1974 (5 U.S.C. § 552a).
5. Employees and students may not disclose social security numbers to unauthorized persons or entities by any means except:
   1. As required or permitted by law; or
   2. With the consent of the individual; or
   3. Where the third party is the agent or contractor for the institution and appropriate safeguards are in place to prevent unauthorized distribution; or,
   4. As approved by the Legal Counsel.
6. When electronic disclosure is required, the SSN must be encrypted or otherwise secured.
7. Employees and students may not seek out or use social security numbers relating to others for their own interest or advantage.
8. Employees responsible for the maintenance of records containing social security numbers shall observe all administrative, technical, and physical safeguards established by System Administration and the University in order to protect the confidentiality of such records.
9. Employees shall report promptly inappropriate disclosure of social security numbers to their supervisors, who shall report the disclosure to the University Information Security Officer (ISO). Reporting by the employee may be anonymous, in accordance with the University's compliance program, if the employee so chooses. Retaliation against an employee who in good faith reports a possibly inappropriate disclosure of social security numbers is prohibited.
10. The Information Security Officer (ISO) at the University officially interprets rules of conduct and is responsible for revising them as necessary to meet the changing needs of the University.

E.  Responsibilities

Employees and students shall comply with the provisions of this policy and UTS 165.

F. Relevant System Policies and Federal Laws

UTS 165 - Information Resources Use and Security Policy

Section 7 of the Federal Privacy Act of 1974 (5 U.S.C. § 552a)

G. Review

Policy shall be reviewed by the ISO every two years or as legislation changes.