College and University Privacy Issues: Social Security Numbers and Smart Cards

Presentation by Beth Givens, Director
NACUA 41st Annual Conference
National Association of College and University Attorneys
San Diego, California

Outline of Presentation:

1. Overview: There are many privacy issues facing colleges and universities today. This presentation covers only the first two below:

• SSNs as student identification numbers
  - Identity theft and other security issues
• Multi-purpose "smart" cards, privacy implications
• Violence profiling
• Weapons searches
• Drug testing
• E-mail, Internet uses, websites, acceptable use policy
• Records disclosure
• Uses of directory information
• Video surveillance
• Health services
• Research subjects

2. Presentation Topics

• Social Security numbers as student IDs
  - Identity theft and other security issues
• Multi-purpose cards
  - "Smart" cards, memory cards, advanced cards

3. Uses of SSNs As Student IDs:

Complaints received by the Privacy Rights Clearinghouse:

• No alternative numbers given
• SSNs are written on checks at bookstore - a fraud risk
• Used as library computer log-on number
• Required to sign-in at the computer center
• Listed on class rosters
• Why are students complaining?
  - Privacy concerns
  - Identity theft fears

4. Rise of Identity Theft in U.S.

• SSN is key to assuming identities for credit and other types of financial fraud
• Fastest growing crime in U.S.
• 500,000-700,000 victims in 2000, based on credit bureau statistics
• [Sept. 2003 Update: Recent surveys show there are currently 7-10 million victims per year,
  greatly exceeding our earlier estimates.
  For more information, www.privacyrights.org/ar/idtheftsurveys.htm.]
• Opportunistic crime, rather than targeted
• Bad or non-existent credit is not a deterrent to the criminals
• Criminalization is not a deterrent
  - Very low-risk crime because of light penalties; it is a nonviolent crime.

5. Campus Horror Stories

• Florida professor posted SSNs of students on his class web site
• 1,600 USC Orientation Dept. checks stolen, many with students' SSNs on memo line
• Univ. of Indiana computer hacked by foreign intruder who obtained 3,000 SSNs
• Professor posted grades by SSN and stole identities of some of her students
• A teacher's ID was stolen by student -- her SSN was required on top of class roster
• Female student was stalked several years by a male student who was able to obtain information about her on Internet information broker site
• Female student's ex-boyfriend used SSN to commit identity theft as revenge

6. Sign of the Times

• "The time has come to put the SSN back into its box.Its misuse is a national crisis."
  - John Huse, SSA Inspector General, Congressional hearing, May 22, 2001
• States that prohibit SSN as student ID -- by law
  - Wisconsin, Arizona, New York, Rhode Island, Maryland
• Voluntary actions - universities that have replaced SSNs with another number system
  - Montana State Univ., USC, Duke, Univ. of Virginia, Florida Univ. System, and others

7. Legislation

• California SB 168, Sen. Bowen (update 12/01: university prohibition was removed)
• U.S. Congress -- prohibit display, sale, etc. (update 12/01: no bills have yet passed)
  - H.R. 1478 (Kleczka)
  - H.R. 2036 (Shaw) (S. 1014)
  - S. 324 (Shelby)
  - S. 451 (Nelson)
  - S. 848 (Feinstein & Gregg)
  - S. 1014 (Bunning) (H.R. 2036)

8. Judicial Action

• Krebs v. Rutgers
  - 797 F. Supp. 1246 (D.N.J. 1992)
• 7 undergrads were plaintiffs -- complaints regarding uses for class rosters, ID cards, dining services, posting of grades, and denial of benefits if students refused to give SSNs.
• Federal statutes cited -- Privacy Act of 1974 and Family Educational Rights and Privacy Act (FERPA, also known as the Buckley Amendment)

9. Privacy Act

• Pub. L. No. 93-579, 5 U.S.C. 552a note
• Unlawful for any federal, state, or local government agency to deny any individual any right, benefit, or privilege provided by law because the individual has refused to disclose his SSN . unless disclosure is required by federal statute or is required under law adopted prior to Jan. 1, 1975.

10. FERPA - Family Educational Rights and Privacy Act (Buckley Amendment)

• 20 U.S.C. 1232g(b)(1) (1988)
• "No funds shall be made available under any applicable program to any educational agency or institution which has a policy or practice of permitting the release of education records (or personally identifiable information . other than directory information ...) .of students without the written consent of their parents ."

11. The Krebs Decision

• Rutgers is an independent institution and not a public entity vis-à-vis Privacy Act
• But FERPA applies to Rutgers, and SSNs are "educational records" and/or personally identifiable information.
• Rutgers was ordered to stop disseminating SSNs on class rosters only.
• Rutgers was granted a FERPA exception regarding use on ID cards.

12. Rutgers Today

• Still uses the SSN as the student ID.
• Allows students to obtain an alternate number.
• Requires SSN for telephone registration and Internet access -- with PIN number.
• Default PIN is month/day of student's birth.

13. Case Study: University of Illinois

• Adoption of system-wide SSN policy
• Year-long process, 1999, working group
• Risk analysis
  - Loss of trust in institution
  - Loss of control of business (lawsuits)
  - Financial risk (loss of federal funding)
• Web: www.ssn.uillinois.edu

14. University of Illinois SSN Policy

• Purpose and objectives
  - Compliance with FERPA and Privacy Act
  - Broad awareness of confidential nature of SSNs
  - Reduced reliance on SSN for ID purposes
  - Consistent policy toward uses of SSN
  - Increased confidence by students and employees that SSNs are handled in confidential manner

• Phased-in compliance over 5 years
• Administrator to oversee SSN usage on each campus and to educate university
• Unique ID Number assigned to all students, employees, contractors, consultants
• No grades posted by SSN
• Encrypted when transmitted electronically
• Secure document disposal (shredding)
• SSN not collected unless legal requirement
• Limited release to third parties
• May be stored with student records as confidential attribute
• Explicit notices on forms and in handbooks
• IT Dept. guidelines for electronic uses
• Biennial report to Provosts and President
• Compliance monitoring
• Sanctions for breaches of confidentiality

15. Privacy Rights Clearinghouse Recommendations

• Phase out use of SSN as student ID
• Be prepared if SSNs are compromised. Provide identity theft information for students and employees.
• Encourage a "culture of confidentiality"
• Practice responsible information-handling
• Establish position of Chief Privacy Officer
• Develop privacy policy for smart cards

16. Multi-Purpose Cards (second topic of presentation)

• Student ID card
• Library use
• Check cashing
• Discretionary account
• Facilities access -- dorms, computer labs, parking lots, recreational centers
• Vending machines
• Laundry
• Student activities
• Long distance phone service
• Banking or credit union

17. Potential Privacy and Security Issues

• Ensuring legitimate access to card data
• Vendor access and vendor uses
• Restricting secondary uses of data
• Civil subpoena policy
• Profiling
• Student tracking
• Data retention

18. The Answer?

• Conduct "privacy impact assessment" before implementing
• Develop and adopt code of "fair information principles"

19. Privacy Impact Assessment

• Description of applications for which the cards will be used
• Description of personally identifiable information collected and stored
• Purposes of collection
• How notice is given and consent is obtained
• Methods of collection of student data
• Duration of collection of information
• Ensuring accuracy
• Method of storage
• Key personnel who have access
• Procedures for access and correction
• Complaints process
• Security

20. Fair Information Principles - The Foundation of the University's Privacy Policy

(There are several such compilations. The following is my preferred code, developed by the Canadian Standards Association, 1995.)

• Accountability
• Identifying purpose
• Consent
• Limiting collection
• Limiting use, disclosure and retention
• Accuracy
• Safeguards and security
• Openness
• Individual access
• Challenging compliance

21. References

Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992)

Alexander C. Papandreou, "Krebs v. Rutgers: The Potential for Disclosure of Highly Confidential Personal Information Renders Questionable the Use of Social Security Numbers as Student Identification Numbers," Journal of College and University Law (20:1, pp. 79-96) 1993.

Federal Laws

Family Educational Rights and Privacy Act, http://www.ed.gov/offices/OM/fpco/ferpa/
Privacy Act of 1974, www.usdoj.gov/foia/privstat.htm

University of Illinois Social Security Number Policy

Web: www.ssn.uillinois.edu

Identity Theft Resources

Privacy Rights Clearinghouse Fact Sheet 17 series.
Identity Theft Resource Center, www.idtheftcenter.org
Federal Trade Commission, www.consumer.gov/idtheft

Smart Cards

"Smart, Optical and Other Advanced Cards: How to Do a Privacy Assessment," Joint Project of the Information and Privacy Commissioner of Ontario and the Advanced Card Technology Association of Canada, Sept. 1997
www.ipc.on.ca/english/pubpres/sum_pap/papers/cards.pdf

Responsible Information-Handling

"A Checklist of Responsible Information-Handling Practices," Fact Sheet 12 by the Privacy Rights Clearinghouse
Fair Information Principles

"A Review of the Fair Information Principles: The Foundation of Privacy Public Policy," by Beth Givens, Privacy Rights Clearinghouse
www.privacyrights.org/ar/fairinfo.htm

Model Code for the Protection of Personal Information

(Canadian Standards Association, 1995)
From Who Knows: Safeguarding Your Privacy in a Networked World, by Ann Cavoukian and Don Tapscott, McGraw-Hill, 1997, pages 182-183.