Faculty and staff preparation key to successful for SSN changeover

These days, the importance of safeguarding personal data is a hot topic of conversation not only at Penn State, but also at many other institutions including the federal government. In July, the House Committee on Ways and Means approved the Social Security Number Privacy and Identity Theft Prevention Act, a bill designed to put further restrictions on the use and display of Social Security numbers (SSNs) in an effort to better protect identities. Although this bill is not yet law, it signifies that the prevention of identity theft has become a national concern.

Recognizing that concern, Penn State is just three months away from adopting a new Penn State ID number (PSU ID) in place of SSNs as the primary identifier of students, faculty and staff. "We're looking to protect private information from unintentional exposure and intentional identity theft," said David Lindstrom, chief privacy officer at the University. "The less we use, display and make available private information, the better we control the risk."

Since SSNs are a potential target for would-be identity thieves, Penn State recently created a new University policy to protect the privacy and confidentiality of an individual's SSN. Policy AD19, which will govern the future use of SSNs, takes effect Jan. 1, 2005, when the new PSU ID is adopted. It has been published now to give University offices time to comply with its provisions.

According to Kathy Plavko, manager on the SSN Project team, the new policy -- available at http://guru.psu.edu/policies/AD19.html -- is designed to reduce potential identity-theft risk for students, faculty and staff. Plavko stresses that following the policy guidelines is essential for the University community. Plavko said a Federal Trade Commission survey performed in 2003 showed that as many as 27.3 million people fell victim to identity theft between 1998 and 2003, including 9.9 million during the last year.

"This effort can only be successful if we have the full participation of every employee at the University in evaluating what they need to do to comply with the new policy and in being prepared for the changes that will take effect on Jan. 1," said Plavko.

Faculty and staff responsible for their own local data

As part of that preparation, Plavko explained that faculty and staff are responsible for the data files stored on their computers that contain SSNs. For example, files such as grade books, class lists and other listings containing SSNs should be deleted if they no longer are needed. Otherwise, they should be saved to a CD and secured or printed and filed in a secured location, and then deleted from the computer. SSNs also can be converted to the new PSU IDs if it is necessary to retain this information for continued use after Jan. 1.

Plavko also emphasized that faculty and staff should begin to clean up data on their computers now. Files that need to be converted to use the new PSU ID can be converted beginning Dec. 20. There will be a 90-day window, ending March 31, 2005, to complete these conversions.

Each college, department and campus has its own local SSN contact listed at http://ais.its.psu.edu/ssn/media/LocalSSNContacts7.pdf to coordinate these efforts and specific information for faculty/staff conversions is available on the SSN Project Web site at http://ais.its.psu.edu/ssn

Key provisions for faculty and staff to ensure compliance with policy AD19

When assessing local files, follow these provisions from policy AD19:

-- Any spreadsheet, database, online list or electronic document containing SSNs must be deleted, printed and secured, stored securely off-line on a CD or converted unless the chief privacy officer grants an exception.

-- Documents that contain SSNs in Microsoft Word and e-mail messages must be secured, but do not need to be converted. Unnecessary files of this type should be deleted.

-- Both current and historical records containing SSNs in off-line storage such as paper, tape, cartridge, microfiche, microfilm or magnetic media do not need to be converted as long as access to them is limited and secured.

-- All online and off-line records containing SSNs will be considered confidential information. If employees have any such records that are no longer needed, they should purge them in compliance with the General Retention Schedule for University Records. See http://guru.psu.edu/gfug/appendices/APP18.html for details.

Collection of SSNs still necessary

Even after the launch of the new PSU ID on Jan. 1, the University still will be required to collect the SSN of any person who wishes to enroll in academic offerings and any person employed at Penn State. Only authorized employees, however, will have access to these SSNs.

"Social Security numbers are still the unique national identifier. We need to collect them for the purpose of paying employees, coordinating health care and health-care payments and reporting to other federal agencies that still work in an SSN environment," said Lindstrom.

Lindstrom added that any offices that have been granted permission from the chief privacy officer to store SSNs within their systems will need to be certified as a Penn State Trusted Network. This requirement will help avoid the type of security breach that recently occurred at the California Polytechnic State University, in which 652 students may have had their SSNs compromised after a computer virus infected a computer with their personal details on it.

"Any system with confidential information should have to meet minimum security requirements," said Lindstrom. The Privacy Office and Security Operations and Services, a unit of Information Technology Services, are working together to evaluate the current security requirements at Penn State.

Central systems transition

To facilitate the SSN-to-PSU ID changeover, all University Administrative Information Systems, including IBIS, ISIS, the Data Warehouse and eLion, will be taken off-line for conversion at midnight Saturday, Dec. 18. Systems will be back online on or after Dec. 26 as testing is completed. Beginning Jan. 1, 2005, the PSU ID will be used in these systems and in all internal processes that do not require SSNs for reporting or taxation purposes. The University still will need to collect individuals' SSNs for certain business processes, but use of SSNs will be strictly limited by policy AD19.

Apart from the conversion of Administrative Information Systems, each department, college and campus is responsible for converting its own unique academic and administrative procedures, processes and forms to use the new PSU ID.

For more information about Penn State's SSN conversion, visit the student information overview on the official SSN Project Web site at http://ais.its.psu.edu/ssn