Presentation by Beth Givens, Director
NACUA 41st Annual Conference
National Association of College and University Attorneys
San Diego, California
Outline of Presentation:
1. Overview: There are many privacy issues facing colleges and universities today. This presentation covers only the first two below:
- SSNs as student identification numbers
- Identity theft and other security issues
- Multi-purpose "smart" cards, privacy implications
- Violence profiling
- Weapons searches
- Drug testing
- E-mail, Internet uses, websites, acceptable use policy
- Records disclosure
- Uses of directory information
- Video surveillance
- Health services
- Research subjects
2. Presentation Topics
- Social Security numbers as student IDs
- Identity theft and other security issues
- Multi-purpose cards
- "Smart" cards, memory cards, advanced cards
3. Uses of SSNs As Student IDs:
Complaints received by the Privacy Rights Clearinghouse:
- No alternative numbers given
- SSNs are written on checks at bookstore - a fraud risk
- Used as library computer log-on number
- Required to sign-in at the computer center
- Listed on class rosters
- Why are students complaining?
- Privacy concerns
- Identity theft fears
4. Rise of Identity Theft in U.S.
- SSN is key to assuming identities for credit and other types of financial fraud
- Fastest growing crime in U.S.
- 500,000-700,000 victims in 2000, based on credit bureau statistics
- [Sept. 2003 Update: Recent surveys show there are currently 7-10 million victims per year,
greatly exceeding our earlier estimates.
For more information, www.privacyrights.org/ar/idtheftsurveys.htm.]
- Opportunistic crime, rather than targeted
- Bad or non-existent credit is not a deterrent to the criminals
- Criminalization is not a deterrent
- Very low-risk crime because of light penalties; it is a nonviolent crime.
5. Campus Horror Stories
- Florida professor posted SSNs of students on his class web site
- 1,600 USC Orientation Dept. checks stolen, many with students' SSNs on memo line
- Univ. of Indiana computer hacked by foreign intruder who obtained 3,000 SSNs
- Professor posted grades by SSN and stole identities of some of her students
- A teacher's ID was stolen by student -- her SSN was required on top of class roster
- Female student was stalked several years by a male student who was able to obtain information about her on Internet information broker site
- Female student's ex-boyfriend used SSN to commit identity theft as revenge
6. Sign of the Times
- "The time has come to put the SSN back into its box.Its misuse is a national crisis."
- John Huse, SSA Inspector General, Congressional hearing, May 22, 2001
- States that prohibit SSN as student ID -- by law
- Wisconsin, Arizona, New York, Rhode Island, Maryland
- Voluntary actions - universities that have replaced SSNs with another number system
- Montana State Univ., USC, Duke, Univ. of Virginia, Florida Univ. System, and others
- California SB 168, Sen. Bowen (update 12/01: university prohibition was removed)
- U.S. Congress -- prohibit display, sale, etc. (update 12/01: no bills have yet passed)
- H.R. 1478 (Kleczka)
- H.R. 2036 (Shaw) (S. 1014)
- S. 324 (Shelby)
- S. 451 (Nelson)
- S. 848 (Feinstein & Gregg)
- S. 1014 (Bunning) (H.R. 2036)
8. Judicial Action
- Krebs v. Rutgers
- 797 F. Supp. 1246 (D.N.J. 1992)
- 7 undergrads were plaintiffs -- complaints regarding uses for class rosters, ID cards, dining services, posting of grades, and denial of benefits if students refused to give SSNs.
- Federal statutes cited -- Privacy Act of 1974 and Family Educational Rights and Privacy Act (FERPA, also known as the Buckley Amendment)
9. Privacy Act
- Pub. L. No. 93-579, 5 U.S.C. 552a note
- Unlawful for any federal, state, or local government agency to deny any individual any right, benefit, or privilege provided by law because the individual has refused to disclose his SSN . unless disclosure is required by federal statute or is required under law adopted prior to Jan. 1, 1975.
10. FERPA - Family Educational Rights and Privacy Act (Buckley Amendment)
- 20 U.S.C. 1232g(b)(1) (1988)
- "No funds shall be made available under any applicable program to any educational agency or institution which has a policy or practice of permitting the release of education records (or personally identifiable information . other than directory information ...) .of students without the written consent of their parents ."
11. The Krebs Decision
- Rutgers is an independent institution and not a public entity vis-à-vis Privacy Act
- But FERPA applies to Rutgers, and SSNs are "educational records" and/or personally identifiable information.
- Rutgers was ordered to stop disseminating SSNs on class rosters only.
- Rutgers was granted a FERPA exception regarding use on ID cards.
12. Rutgers Today
- Still uses the SSN as the student ID.
- Allows students to obtain an alternate number.
- Requires SSN for telephone registration and Internet access -- with PIN number.
- Default PIN is month/day of student's birth.
13. Case Study: University of Illinois
- Adoption of system-wide SSN policy
- Year-long process, 1999, working group
- Risk analysis
- Loss of trust in institution
- Loss of control of business (lawsuits)
- Financial risk (loss of federal funding)
- Web: www.ssn.uillinois.edu
14. University of Illinois SSN Policy
- Purpose and objectives
- Compliance with FERPA and Privacy Act
- Broad awareness of confidential nature of SSNs
- Reduced reliance on SSN for ID purposes
- Consistent policy toward uses of SSN
- Increased confidence by students and employees that SSNs are handled in confidential manner
- Phased-in compliance over 5 years
- Administrator to oversee SSN usage on each campus and to educate university
- Unique ID Number assigned to all students, employees, contractors, consultants
- No grades posted by SSN
- Encrypted when transmitted electronically
- Secure document disposal (shredding)
- SSN not collected unless legal requirement
- Limited release to third parties
- May be stored with student records as confidential attribute
- Explicit notices on forms and in handbooks
- IT Dept. guidelines for electronic uses
- Biennial report to Provosts and President
- Compliance monitoring
- Sanctions for breaches of confidentiality
15. Privacy Rights Clearinghouse Recommendations
- Phase out use of SSN as student ID
- Be prepared if SSNs are compromised. Provide identity theft information for students and employees.
- Encourage a "culture of confidentiality"
- Practice responsible information-handling
- Establish position of Chief Privacy Officer
16. Multi-Purpose Cards (second topic of presentation)
- Student ID card
- Library use
- Check cashing
- Discretionary account
- Facilities access -- dorms, computer labs, parking lots, recreational centers
- Vending machines
- Student activities
- Long distance phone service
- Banking or credit union
17. Potential Privacy and Security Issues
- Ensuring legitimate access to card data
- Vendor access and vendor uses
- Restricting secondary uses of data
- Civil subpoena policy
- Student tracking
- Data retention
18. The Answer?
- Conduct "privacy impact assessment" before implementing
- Develop and adopt code of "fair information principles"
19. Privacy Impact Assessment
- Description of applications for which the cards will be used
- Description of personally identifiable information collected and stored
- Purposes of collection
- How notice is given and consent is obtained
- Methods of collection of student data
- Duration of collection of information
- Ensuring accuracy
- Method of storage
- Key personnel who have access
- Procedures for access and correction
- Complaints process
(There are several such compilations. The following is my preferred code, developed by the Canadian Standards Association, 1995.)
- Identifying purpose
- Limiting collection
- Limiting use, disclosure and retention
- Safeguards and security
- Individual access
- Challenging compliance
Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992)
Alexander C. Papandreou, "Krebs v. Rutgers: The Potential for Disclosure of Highly Confidential Personal Information Renders Questionable the Use of Social Security Numbers as Student Identification Numbers," Journal of College and University Law (20:1, pp. 79-96) 1993.
University of Illinois Social Security Number Policy
Identity Theft Resources
"Smart, Optical and Other Advanced Cards: How to Do a Privacy Assessment," Joint Project of the Information and Privacy Commissioner of Ontario and the Advanced Card Technology Association of Canada, Sept. 1997
"A Checklist of Responsible Information-Handling Practices," Fact Sheet 12 by the Privacy Rights Clearinghouse
Fair Information Principles
"A Review of the Fair Information Principles: The Foundation of Privacy Public Policy," by Beth Givens, Privacy Rights Clearinghouse
Model Code for the Protection of Personal Information
(Canadian Standards Association, 1995)
From Who Knows: Safeguarding Your Privacy in a Networked World, by Ann Cavoukian and Don Tapscott, McGraw-Hill, 1997, pages 182-183.