As part of Duke’s ongoing efforts to protect sensitive data, Duke has updated the procedures for protecting Social Security numbers (SSNs) in accordance with the policy originating from Executive Vice President Tallman Trask’s directive. As before, all departments that have a need to collect or store SSNs must engage with the IT Security Office (University) or Information Security Office (Duke Health) to assess the need before EVP review.
In recognition of business processes that may require collection of SSNs, the following use cases permit the collection of SSNs with EVP approval. Note that this approval does NOT permit the storage of SSNs outside SAP or Financial Services-administered systems:
- I-9 forms as part of employee hiring process
- Tax forms (e.g., W9s for independent contractors)
- Research participant reporting (between the research group and Finance)
Outside of the above cases, departments may request approval from the EVP’s office to collect SSNs in the following cases:
- Non-compensatory payments (e.g., scholarship/fellowship payments)
- One-time payments to non-employees (e.g., honoraria)
- Payment to participants in research studies
Process for approval
Duke departments seeking approval for collection or storage of SSNs should contact firstname.lastname@example.org.
If approved, SSNs must be collected using either Duke’s Box or Qualtrics service:
OIT’s StrongBox interface for Box offers a secure transfer method for non-Duke individuals to submit a completed W-9 or other sensitive data form electronically. A Duke employee handling a payment request can create and share a designated StrongBox folder, where a non-Duke individual can upload a form. StrongBox Instructions
The survey software Qualtrics also can be used to collect SSNs, either via direct input by a non-Duke user (as a field in a survey) or by uploading a form into a created survey. Qualtrics Instructions
Data would be retained in the StrongBox folder or Qualtrics survey for no more than 45 days by policy, as set by Disbursement Services.
Document Type: Procedure