Policy

January 31, 2017

Protection of Social Security Numbers and Other Restricted Information

USC receives and collects Restricted Information, as defined below, from and about students, faculty and staff employees, patients, and business partners, among others, in order to provide academic and clinical services and/or to conduct business operations. USC will use, store and transmit “Restricted Information” responsibly and in compliance with federal and state laws and regulations.

For purposes of this policy, “Restricted Information” is defined as in USC’s Information Security Policy as: “Information or data in this classification is typically regulated or would cause a significant business impact if it were disclosed. Data protected by Health Insurance Portability and Protection Act (HIPAA), Gramm-Leach Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), the Family Education Rights Privacy Act (FERPA), California Financial Information Privacy Act  (CFIPA), personal information and personally identifiable information . . . Other data and information may be classified as restricted if it is in the best interest of the university.”

This policy applies to Restricted Information collected by any means and in any medium. It applies to all university faculty members (including part-time and visiting faculty), staff and other employees (such as postdoctoral scholars), students (including postdoctoral fellows and graduate students) and iVIP (guests with electronic access). In addition, all third parties, including vendors, consultants, and contractors who have access to or control of Restricted Information, described in this policy, must agree in writing to maintain such information in accordance with the policies of the university and in accordance with federal and state laws.

Reduce collection and storage of Restricted Information

The university only should collect or store Restricted Information as necessary to (a) to meet legal and regulatory requirements; or (b) to provide services or conduct business that require Restricted Information, such as for provision of clinical care, administration of financial aid, tax purposes, and collections, among other things.

Limit access to Restricted Information

Only the minimum amount of Restricted Information necessary to fulfill a particular function or purpose should be shared or released. In particular, access to Restricted Information is limited to:

  • the individual whose information is produced or displayed, upon verification,
  • a university official or agent of the university with authorized access,
  • a legitimate academic or business interest and a need to know,
  • an organization or person authorized in writing by the individual to receive the information,
  • a legally authorized government entity or representative, or other circumstances in which the university is legally compelled to provide access to personal information, or
  • other individuals or entities, as permitted or required by law or regulation.

Secure Restricted Information

Appropriate administrative, physical and technical safeguards must be implemented and maintained to secure Restricted Information, which include the following:

  • Restricted Information involving personally identifiable information maintained in electronic format should be encrypted at rest and in transit, as feasible.
  • Restricted Information involving personally identifiable information may not be stored on mobile devices unless proper access controls and encryption are maintained on the mobile devices.
  • All systems storing Restricted Information must comply with the university’s Network Infrastructure Use Policy and the Information Security policy.
  • Dual-factor authentication must be implemented, as technically feasible, on servers, systems and/or applications that contain Restricted Information.
  • Restricted Information maintained in paper records must be stored with appropriate physical safeguards, such as in locked cabinets and/or in restricted areas limited only to those who need access to that information.
  • Restricted Information must be destroyed (e.g., shredded) as soon as no longer needed for the legal or business purposes described above and/or in compliance with the university’s record management policy.
  • All servers and workstations with access to Restricted Information must be scanned regularly, as determined by ITS Security, and findings must be fully remediated.
  • All servers and third party systems that generate, store or transmit Restricted Information must meet the USC hardening checklist requirements, as applicable.
  • Employees with access to Restricted Information are not permitted to directly access their workstations or laptops remotely unless they use VPN or the Keckcare Portal.
  • Third parties may not access Restricted Information except as required by law or as necessary to carry out a business function and only if the third party has signed the university’s Business Associate Agreement or Data Security Addendum or other appropriate agreement as approved by Purchasing.
  • Restricted Information must be secured in compliance with any other legal or regulatory requirements.

Approval

Any additional uses of Restricted Information or exceptions to the security safeguards described above must be reviewed and approved in writing by the Information Risk Committee.

Notify school IT administrator if using Restricted Information

Faculty, staff and other employees will advise their school’s IT administrator if they are collecting, generating, transmitting or storing Restricted Information so that the information can be properly secured. The IT Administrator should consult with ITS Security and the Office of Compliance for assistance with requirements to secure the Restricted Information.

Online collection of personally identifiable information

University departments that collect personally identifiable information on their webpages must post a link to this privacy policy and inform consumers about any persons or entities outside the university with whom they may share personal information collected online. If the department has a process for the consumer to change such information, that process must be described and available to the consumer on the department webpages. Complaints about online collection of personally identifiable information or compliance with the California Online Privacy Protection Act should be referred to the Information Security office at (213) 740-5555.

Special privacy rights of students relating to personal social media

Pursuant to state law, USC is prohibited from requiring or requesting students, prospective students or student groups to disclose, access or divulge personal social media. Social media is defined as an electronic service or account, or electronic content, including but not limited to, video or still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts or internet website profiles or locations.

Additional Requirements Regarding Social Security Numbers

Permitted use of Social Security numbers

Social Security numbers may only be collected in the following circumstances or as otherwise required by law:  

  • IRS-related purposes
  • For awards of financial aid and collected via the FAFSA
  • Identification for unincorporated independent contractors
  • Medicare patient identification
  • Certain billing collection functions for students and patients

Any additional uses of social security numbers must be approved by the Information Risk Committee.

Additional security standards for Social Security numbers

Social Security numbers stored on USC systems must be encrypted or masked at rest and in transit. Exceptions to this requirement must be approved by the Information Risk Committee.

Restricted use of Social Security numbers

It is against state law to:

  • Publicly post or display the Social Security number in any manner;
  • Print the Social Security number on any card required to access service;
  • Require an individual to transmit his or her Social Security number over the internet unless the connection is secure or the number is encrypted;
  • Require an individual to use his or her Social Security number to access an internet site unless a unique password or PIN is also required; or
  • Print a Social Security number on any materials that are mailed unless required by a state or federal agency, unless state or federal law requires the Social Security number to be on the document to be mailed. Also, Social Security numbers may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the Social Security number.

Additional References

California Civil Code Section 1798.85
California Civil Code Section 1798.81.5-82
California Labor Code Section 226
California Education Code Section 99120, et seq.

Related policy

Cooperation with Compliance Investigations policy

Responsible Office

Information Technology Services

consult@usc.edu
(213) 740-5555

Office of Compliance

ooc.usc.edu
complian@usc.edu
(213) 740-8258

Issued by

Michael Quick, Provost and Senior Vice President, Academic Affairs
Todd R. Dickey, Senior Vice President, Administration
University of Southern California