About The Gazette Search Back Issues Contact Us    
The newspaper of The Johns Hopkins University December 18, 2006 | Vol. 36 No. 15
New Policy On Use of Student SSNs Adopted

Council of Deans takes steps to establish consistent practices, protection

By Greg Rienzi
The Gazette

The provost and Council of Deans recently approved, and the university has adopted, a more formal policy on the protection and use of student Social Security numbers.

The detailed and specific measures were passed in an effort to reduce reliance on the SSN for identification purposes and to increase student confidence involving the handling of the numbers. Johns Hopkins considers the student SSN, or any part thereof, to be "personally identifiable information" under the Family Educational Rights and Privacy Act of 1974.

The new policy, effective immediately, is the latest in efforts to protect the privacy and use of a student SSN and to place appropriate limitations on its use throughout admission, financial aid, billing and registration processes. Johns Hopkins also wants to establish consistent universitywide and divisional student SSN protection and use policies and practices.

In 2004, the university began issuing randomly generated six-character Unique ID numbers for all faculty, staff, students and alumni. Whenever possible, those UIDs are now used in place of a person's Social Security number for the purposes of identification.

In addition to the creation of UIDs, the university took other measures to curtail the use of Social Security numbers, such as not using them for identification at Homewood's Ralph S. O'Connor Recreation Center.

In late 2004, the provost charged the Student SSN/Unique Identifier Work Group with examining the issue of SSN use and developing a universitywide policy and set of standards. The nine-member group was chaired by Edgar Roulhac, vice provost for academic services.

Susan Boswell, dean of student life and a member of the work group, said that the initiative came in response to student concerns of "inappropriate uses" of their Social Security numbers by members of the administrative staff and faculty, including the posting of grades by these numbers. The university also was concerned about the potential for identify theft.

Steven Knapp, provost and senior vice president for academic affairs, said that the university is committed to ensuring privacy and proper handling of confidential information that it collects and maintains on faculty, staff and students.

"There have been a number of cases around the nation of accidental releases or malicious theft of Social Security numbers," Knapp said. "We want to ensure the privacy of student information--and faculty and staff as well--to the maximum extent possible to protect against identify theft or other kinds of abuses of personally sensitive information."

Boswell said that the new policy clearly states the seriousness of SSN use.

"The work group looked at this issue from every possible angle to make sure that we provided people who are authorized to use student Social Security numbers with a whole range of circumstances and particulars they need to consider," Boswell said. "What makes this document unique, I feel, is that it's more than just a policy; it's an education piece as well."

Under the new policy, no part of the student SSN may be physically displayed or released, such as sent via e-mail to multiple students, placed on student rosters or left on online bulletin boards. In addition, since the risk and likelihood of unauthorized disclosure increases with each additional electronic or paper copy of the SSN, divisional leadership will be held responsible for ensuring that the number and scope of physical repositories of SSNs are kept to a minimum.

Darren Lacey, a work group member and chief information security officer for the university and Johns Hopkins Medicine, said that while current policies and procedures exist to protect such information, this new policy provides a comprehensive set of standards.

"It's one of the first times that we have a unified information security policy for both documents and electronic information," Lacey said. "The policy also covers both the administrative side of the issue and the way you handle Social Security numbers from a technical perspective. It will, I feel, spur a lot of IT folks here to reassess the risks related to their systems."

Specific policy guidelines include:

University employees may not post the student's SSN or publish it on a Web page.

SSN data may not be transmitted electronically to any party outside JHU without appropriate authorization and security controls.

JHU student administration databases and datasets may not store or otherwise maintain a student SSN, except as required for government reporting or other specific business purposes.

Research databases that include student SSNs as a data element must be disclosed by the investigator to the appropriate institutional review board.

The number will continue to be collected as part of the application process, however, and still be required for registration to Johns Hopkins. A student's SSN is also generally required for certain government reporting and as part of applying for financial aid, billing and employment.

The policy contains the general requirements for the handling of SSNs, which can now be accessed only by individuals with a "need to know." These individuals will receive online privacy training in the coming months.

A full copy of the document is located on the Johns Hopkins University Policies Web page at


The Gazette | The Johns Hopkins University | Suite 540 | 901 S. Bond St. | Baltimore, MD 21231 | 443-287-9900 |