64: Safeguarding Confidential Information in Records
Last Revised: December 2008
The university shall follow all federal and state laws governing the collection, recording, filing, maintenance, disclosure, transfer, and safeguarding of confidential information. The university shall follow the NSHE Information Security Plan which applies to any record containing nonpublic financial information about a student, employee, or other third party who has a relationship with the university, whether in paper, electronic or other form, which is handled or maintained by or on behalf of the university.
Per ÁùºÏ±¦µä Revised Statues social security numbers are considered confidential personal financial information. It is the policy of the university to keep the number of individuals having access to social security number information to the minimum. The following departments are allowed to collect, record, file or store social security numbers in order to comply with federal and state requirements:
- Accounts Payable
- Admissions Office
- Cashier's Office
- Human Resources
- Non-Resident Alien Tax Specialist
- Payroll
- Police Services
- Student Employment
- Student Financial Aid
All other departments are restricted from collecting, recording, filing or storing social security numbers (or any part of) belonging to employees, students and other individuals, except as required by the offices listed above. For example, departments are allowed to collect social security numbers on payroll documents for new hires to transmit that information to the Payroll Department. Once the information is provided to the Payroll Department, the hiring department must remove the social security number information from its files.
Social security numbers will not be used as the identifier of a student, employee, or other individual, other than when required by law or governmental regulation. Departments, except those listed, may not create or maintain databases or spreadsheets containing social security numbers. Except as required by the listed departments, other departments must refuse to accept documents and files containing social security numbers or will obliterate or otherwise remove such information from documents and electronics files received.
Each department within the university is responsible to take steps to protect confidential information from risks that could compromise the security, confidentiality, and integrity of nonpublic financial information. These steps shall include the implementation of controls and procedures, appropriate physical and computer security, compliance with and the training of employees in the proper use of computer information.
Each department in possession of confidential information shall be vigilant in protecting any such information that is transferred to a laptop computer or other portable device. Encryption of data, attention to physical safeguards, and the continued monitoring of departmental practices are considered minimum standard procedures regarding confidential information transmitted in any manner from the campus systems.