In Compliance with the Michigan Social Security Number Protection Act (SSNPA)
In an effort to properly protect the identity of each of its students and employees, Kalamazoo College has reviewed its use of social security numbers (SSNs) and has updated its practices to ensure, to the extent practicable, the confidentiality of this important individual information.
No office or individual at the College shall:
- Publicly display all or more than four sequential digits of an SSN;
- Require an individual to use or to transmit all or more than four sequential digits of his or her SSN over the Internet or a computer system or network unless the connection is secure or the transmission is encrypted;
- Use an individual’s SSN in an email or an attachment to an email message;
- Print or use all or more than four sequential digits of the SSN in or on any document or information mailed or otherwise sent to an individual if it is visible on or, without manipulation, from outside of the envelope;
- Include all or more than four sequential digits of the SSN in a document mailed to a person, unless otherwise permitted by the SSNPA;
- Use the SSN as a student or employee number; or
- Post grades, assignments or other information using all or more than four sequential digits of the SSN.
Permitted uses. The following purposes may make use of (collect and/or store) full SSNs with proper authority under the legislation:
- Payroll and tax documents
- HR personnel database
- Criminal background check release forms, both for employment and for students who work in the settings that require criminal background checks (e.g. Kalamazoo Public Schools, National Youth Sports Program)
- W-9s and records necessary to complete IRS 1099 forms
- Benefit application, enrollment and claim forms, documents and reports, including those for health, life or disability insurance; flexible benefit plans; retirement plans (e.g. TIAA-CREF); Emeriti Retirement Health Solutions
- Financial Aid FAFSA and ISIR documents, and PowerFAIDS and EDE software
- Americorps documentation
- Teaching credential files for which the Michigan Department of Education requires SSN information
- Matriculation forms completed by students paying admission deposits (required for preparation of 1098-T forms)
- Confirmation of death of an alumnus or alumna via the federal SSN Death Index
Security measures. Once collected, those offices with the authority to collect SSNs will implement and maintain practices that keep the information safe from individuals who have no work-related reason to access said information.
- Files or pages containing SSNs will be kept in locked cabinets, or in rooms that have staff oversight or are kept locked.
- The CARS administrative computing system will be changed to limit the screen access to view the full SSN to a very small number of individuals who have a predetermined need to know full SSNs. The rest of campus will see only the last 4 digits of the SSN.
- The Information Technology division of the College will maintain and document the technological security measures broadly maintained by the College.
- College departments that have stand-alone databases will be held fully responsible for security of the information stored in those databases.
Partner organizations. The College will notify its partners of the need for SSN protection and the requirements of the SSNPA. Where such programs require the SSN and the College does not feel that it has the authority to collect and distribute that information for that purpose, the College will ask the programs involved to collect that single data element directly from the student. Identified partners to date include:
- Study Abroad programs that are run by institutions and entities other than Kalamazoo College
- GLCA domestic programs that enroll students
- Physician referrals from the College’s Health Center professionals
Document disposal. Proper document disposal is required for all documents that contain SSNs. Such documents may be shredded or, if the quantity of materials is significant, disposal may be contracted to a company with expertise in the disposal of confidential and sensitive documents.
Penalties. Failure to comply with this policy will be grounds for administrative action against the employee or student. The department of Human Resources will be the responsible adjudicator when the violation is at the hands of a staff or faculty member, and the Dean of Students will be the responsible adjudicator when the violation involves a student.
This policy document was drafted by Joellen L. Silberman, Dean of Enrollment, on behalf of the members of the Fall 2005 Identity and Privacy Protection Task Force, and was approved by President Eileen Wilson-Oyelaran on 20December 2005.