The provost and Council of Deans recently approved,
and the university has adopted, a more formal policy on the
protection and use of student Social Security numbers.
The detailed and specific measures were passed in an
effort to reduce reliance on the SSN for identification
purposes and to increase student confidence involving the
handling of the numbers. Johns Hopkins considers the
student SSN, or any part thereof, to be "personally
identifiable information" under the Family Educational
Rights and Privacy Act of 1974.
The new policy, effective immediately, is the latest
in efforts to protect the privacy and use of a student SSN
and to place appropriate limitations on its use throughout
admission, financial aid, billing and registration
processes. Johns Hopkins also wants to establish consistent
universitywide and divisional student SSN protection and
use policies and practices.
In 2004, the university began issuing randomly
generated six-character Unique ID numbers for all faculty,
staff, students and alumni. Whenever possible, those UIDs
are now used in place of a person's Social Security number
for the purposes of identification.
In addition to the creation of UIDs, the university
took other measures to curtail the use of Social Security
numbers, such as not using them for identification at
Homewood's Ralph S. O'Connor Recreation Center.
In late 2004, the provost charged the Student
SSN/Unique Identifier Work Group with examining the issue
of SSN use and developing a universitywide policy and set
of standards. The nine-member group was chaired by Edgar
Roulhac, vice provost for academic services.
Susan Boswell, dean of student life and a member of
the work group, said that the initiative came in response
to student concerns of "inappropriate uses" of their Social
Security numbers by members of the administrative staff and
faculty, including the posting of grades by these numbers.
The university also was concerned about the potential for
identify theft.
Steven Knapp, provost and senior vice president for
academic affairs, said that the university is committed to
ensuring privacy and proper handling of confidential
information that it collects and maintains on faculty,
staff and students.
"There have been a number of cases around the nation
of accidental releases or malicious theft of Social
Security numbers," Knapp said. "We want to ensure the
privacy of student information--and faculty and staff as
well--to the maximum extent possible to protect against
identify theft or other kinds of abuses of personally
sensitive information."
Boswell said that the new policy clearly states the
seriousness of SSN use.
"The work group looked at this issue from every
possible angle to make sure that we provided people who are
authorized to use student Social Security numbers with a
whole range of circumstances and particulars they need to
consider," Boswell said. "What makes this document unique,
I feel, is that it's more than just a policy; it's an
education piece as well."
Under the new policy, no part of the student SSN may
be physically displayed or released, such as sent via
e-mail to multiple students, placed on student rosters or
left on online bulletin boards. In addition, since the risk
and likelihood of unauthorized disclosure increases with
each additional electronic or paper copy of the SSN,
divisional leadership will be held responsible for ensuring
that the number and scope of physical repositories of SSNs
are kept to a minimum.
Darren Lacey, a work group member and chief
information security officer for the university and Johns
Hopkins Medicine, said that while current policies and
procedures exist to protect such information, this new
policy provides a comprehensive set of standards.
"It's one of the first times that we have a unified
information security policy for both documents and
electronic information," Lacey said. "The policy also
covers both the administrative side of the issue and the
way you handle Social Security numbers from a technical
perspective. It will, I feel, spur a lot of IT folks here
to reassess the risks related to their systems."
Specific policy guidelines include:
University employees may not post
the student's SSN or publish it on a Web page.
SSN data may not be transmitted
electronically to any party outside JHU without appropriate
authorization and security controls.
JHU student administration
databases and datasets may not store or otherwise maintain
a student SSN, except as required for government reporting
or other specific business purposes.
Research databases that include
student SSNs as a data element must be disclosed by the
investigator to the appropriate institutional review
board.
The number will continue to be collected as part of
the application process, however, and still be required for
registration to Johns Hopkins. A student's SSN is also
generally required for certain government reporting and as
part of applying for financial aid, billing and
employment.
The policy contains the general requirements for the
handling of SSNs, which can now be accessed only by
individuals with a "need to know." These individuals will
receive online privacy training in the coming months.
A full copy of the document is located on the Johns
Hopkins University Policies Web page at
www.jhu.edu/news_info/policy/ssnuse.html.