College and University Privacy Issues: Social Security Numbers and Smart Cards

College and University Privacy Issues: Social Security Numbers and Smart Cards

Presentation by Beth Givens, Director
NACUA 41st Annual Conference

National Association of College and University Attorneys
San Diego, California

 

Outline of Presentation:

 

 

1. Overview: There are many privacy issues facing colleges and universities today. This presentation covers only the first two below:

  • SSNs as student identification numbers
    - Identity theft and other security issues
  • Multi-purpose "smart" cards, privacy implications
  • Violence profiling
  • Weapons searches
  • Drug testing
  • E-mail, Internet uses, websites, acceptable use policy
  • Records disclosure
  • Uses of directory information
  • Video surveillance
  • Health services
  • Research subjects

2. Presentation Topics

  • Social Security numbers as student IDs
    - Identity theft and other security issues
  • Multi-purpose cards
    - "Smart" cards, memory cards, advanced cards

3. Uses of SSNs As Student IDs:

Complaints received by the Privacy Rights Clearinghouse:

  • No alternative numbers given
  • SSNs are written on checks at bookstore - a fraud risk
  • Used as library computer log-on number
  • Required to sign-in at the computer center
  • Listed on class rosters
  • Why are students complaining?
    - Privacy concerns
    - Identity theft fears

4. Rise of Identity Theft in U.S.

  • SSN is key to assuming identities for credit and other types of financial fraud
  • Fastest growing crime in U.S.
  • 500,000-700,000 victims in 2000, based on credit bureau statistics
  • [Sept. 2003 Update: Recent surveys show there are currently 7-10 million victims per year,
    greatly exceeding our earlier estimates.
    For more information, www.privacyrights.org/ar/idtheftsurveys.htm.]
  • Opportunistic crime, rather than targeted
  • Bad or non-existent credit is not a deterrent to the criminals
  • Criminalization is not a deterrent
    - Very low-risk crime because of light penalties; it is a nonviolent crime.

5. Campus Horror Stories

  • Florida professor posted SSNs of students on his class web site
  • 1,600 USC Orientation Dept. checks stolen, many with students' SSNs on memo line
  • Univ. of Indiana computer hacked by foreign intruder who obtained 3,000 SSNs
  • Professor posted grades by SSN and stole identities of some of her students
  • A teacher's ID was stolen by student -- her SSN was required on top of class roster
  • Female student was stalked several years by a male student who was able to obtain information about her on Internet information broker site
  • Female student's ex-boyfriend used SSN to commit identity theft as revenge

6. Sign of the Times

  • "The time has come to put the SSN back into its box.Its misuse is a national crisis."
    - John Huse, SSA Inspector General, Congressional hearing, May 22, 2001
  • States that prohibit SSN as student ID -- by law
    - Wisconsin, Arizona, New York, Rhode Island, Maryland
  • Voluntary actions - universities that have replaced SSNs with another number system
    - Montana State Univ., USC, Duke, Univ. of Virginia, Florida Univ. System, and others

7. Legislation

  • California SB 168, Sen. Bowen (update 12/01: university prohibition was removed)
  • U.S. Congress -- prohibit display, sale, etc. (update 12/01: no bills have yet passed)
    - H.R. 1478 (Kleczka)
    - H.R. 2036 (Shaw) (S. 1014)
    - S. 324 (Shelby)
    - S. 451 (Nelson)
    - S. 848 (Feinstein & Gregg)
    - S. 1014 (Bunning) (H.R. 2036)

8. Judicial Action

  • Krebs v. Rutgers
    - 797 F. Supp. 1246 (D.N.J. 1992)
  • 7 undergrads were plaintiffs -- complaints regarding uses for class rosters, ID cards, dining services, posting of grades, and denial of benefits if students refused to give SSNs.
  • Federal statutes cited -- Privacy Act of 1974 and Family Educational Rights and Privacy Act (FERPA, also known as the Buckley Amendment)

9. Privacy Act

  • Pub. L. No. 93-579, 5 U.S.C. 552a note
  • Unlawful for any federal, state, or local government agency to deny any individual any right, benefit, or privilege provided by law because the individual has refused to disclose his SSN . unless disclosure is required by federal statute or is required under law adopted prior to Jan. 1, 1975.

10. FERPA - Family Educational Rights and Privacy Act (Buckley Amendment)

  • 20 U.S.C. 1232g(b)(1) (1988)
  • "No funds shall be made available under any applicable program to any educational agency or institution which has a policy or practice of permitting the release of education records (or personally identifiable information . other than directory information ...) .of students without the written consent of their parents ."

11. The Krebs Decision

  • Rutgers is an independent institution and not a public entity vis-à-vis Privacy Act
  • But FERPA applies to Rutgers, and SSNs are "educational records" and/or personally identifiable information.
  • Rutgers was ordered to stop disseminating SSNs on class rosters only.
  • Rutgers was granted a FERPA exception regarding use on ID cards.

12. Rutgers Today

  • Still uses the SSN as the student ID.
  • Allows students to obtain an alternate number.
  • Requires SSN for telephone registration and Internet access -- with PIN number.
  • Default PIN is month/day of student's birth.

13. Case Study: University of Illinois

  • Adoption of system-wide SSN policy
  • Year-long process, 1999, working group
  • Risk analysis
    - Loss of trust in institution
    - Loss of control of business (lawsuits)
    - Financial risk (loss of federal funding)
  • Web: www.ssn.uillinois.edu

14. University of Illinois SSN Policy

  • Purpose and objectives
    - Compliance with FERPA and Privacy Act
    - Broad awareness of confidential nature of SSNs
    - Reduced reliance on SSN for ID purposes
    - Consistent policy toward uses of SSN
    - Increased confidence by students and employees that SSNs are handled in confidential manner
  • Phased-in compliance over 5 years
  • Administrator to oversee SSN usage on each campus and to educate university
  • Unique ID Number assigned to all students, employees, contractors, consultants
  • No grades posted by SSN
  • Encrypted when transmitted electronically
  • Secure document disposal (shredding)
  • SSN not collected unless legal requirement
  • Limited release to third parties
  • May be stored with student records as confidential attribute
  • Explicit notices on forms and in handbooks
  • IT Dept. guidelines for electronic uses
  • Biennial report to Provosts and President
  • Compliance monitoring
  • Sanctions for breaches of confidentiality

15. Privacy Rights Clearinghouse Recommendations

  • Phase out use of SSN as student ID
  • Be prepared if SSNs are compromised. Provide identity theft information for students and employees.
  • Encourage a "culture of confidentiality"
  • Practice responsible information-handling
  • Establish position of Chief Privacy Officer
  • Develop privacy policy for smart cards

16. Multi-Purpose Cards (second topic of presentation)

  • Student ID card
  • Library use
  • Check cashing
  • Discretionary account
  • Facilities access -- dorms, computer labs, parking lots, recreational centers
  • Vending machines
  • Laundry
  • Student activities
  • Long distance phone service
  • Banking or credit union

17. Potential Privacy and Security Issues

  • Ensuring legitimate access to card data
  • Vendor access and vendor uses
  • Restricting secondary uses of data
  • Civil subpoena policy
  • Profiling
  • Student tracking
  • Data retention

18. The Answer?

  • Conduct "privacy impact assessment" before implementing
  • Develop and adopt code of "fair information principles"

19. Privacy Impact Assessment

  • Description of applications for which the cards will be used
  • Description of personally identifiable information collected and stored
  • Purposes of collection
  • How notice is given and consent is obtained
  • Methods of collection of student data
  • Duration of collection of information
  • Ensuring accuracy
  • Method of storage
  • Key personnel who have access
  • Procedures for access and correction
  • Complaints process
  • Security

20. Fair Information Principles - The Foundation of the University's Privacy Policy

(There are several such compilations. The following is my preferred code, developed by the Canadian Standards Association, 1995.)

  • Accountability
  • Identifying purpose
  • Consent
  • Limiting collection
  • Limiting use, disclosure and retention
  • Accuracy
  • Safeguards and security
  • Openness
  • Individual access
  • Challenging compliance

21. References

Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992)

Alexander C. Papandreou, "Krebs v. Rutgers: The Potential for Disclosure of Highly Confidential Personal Information Renders Questionable the Use of Social Security Numbers as Student Identification Numbers," Journal of College and University Law (20:1, pp. 79-96) 1993.

Federal Laws

Family Educational Rights and Privacy Act, http://www.ed.gov/offices/OM/fpco/ferpa/
Privacy Act of 1974, www.usdoj.gov/foia/privstat.htm

University of Illinois Social Security Number Policy

Web: www.ssn.uillinois.edu

Identity Theft Resources

Privacy Rights Clearinghouse Fact Sheet 17 series.
Identity Theft Resource Center, www.idtheftcenter.org
Federal Trade Commission, www.consumer.gov/idtheft

Smart Cards

"Smart, Optical and Other Advanced Cards: How to Do a Privacy Assessment," Joint Project of the Information and Privacy Commissioner of Ontario and the Advanced Card Technology Association of Canada, Sept. 1997
www.ipc.on.ca/english/pubpres/sum_pap/papers/cards.pdf

Responsible Information-Handling

"A Checklist of Responsible Information-Handling Practices," Fact Sheet 12 by the Privacy Rights Clearinghouse
Fair Information Principles

"A Review of the Fair Information Principles: The Foundation of Privacy Public Policy," by Beth Givens, Privacy Rights Clearinghouse
www.privacyrights.org/ar/fairinfo.htm

Model Code for the Protection of Personal Information

(Canadian Standards Association, 1995)
From Who Knows: Safeguarding Your Privacy in a Networked World, by Ann Cavoukian and Don Tapscott, McGraw-Hill, 1997, pages 182-183.