Duke policy on SSN usage

While it is important to ensure that departments have the information necessary to their functions, the increased use of Social Security Numbers as identity verification puts members of the Duke community at greater risk for identity theft. The Office of the Chief Information Officer has studied these concerns and has produced a paper about them, which you can find online at www.security.duke.edu/SSNwhitepaper.doc. In accordance with these recommendations and the directive issued by Dr Tallman Trask III, the current policy on the collection, storage, and use of Social Security Numbers at Duke is:


Departments wishing to collect, store, or use SSNs in any way must

  • Show compelling institutional need
  • Receive approval from the Executive Vice President and the Chief Information Officer, an
  • Permit yearly audits (including server and application security) to ensure safe SSN handling

Authenticated Duke users can see the University's list of institutional groups permitted to collect, store, and use SSNs on this page.


Please contact the DUHS Information Security Office for the DUHS and DM process (iso@mc.duke.edu).


The University process for obtaining approval is:

  1. The department completes the Data Classification web form: http://security.duke.edu/protected-data-form
  2. The University IT Security Office reviews the form and sends a summary or proposal to CIO for approval.
  3. If approved by CIO, then submitted to EVP for approval.
  4. If approved by EVP, then a signed approval document is provided to the department.
  5. Internal Audit is notified that the department has executive approval to collect, store, or use SSNs, and should be audited annually.

 

Machines collecting, storing, or using SSNs in any way must comply with the ITSO technical standard requirements for Sensitive data.