Social Security Numbers

Report location and volumes of identifiable records with full Social Security Numbers annually

 

When collected for legal requirements: Complete the online form Full SSNs Collected for Legal Requirements for each system or process collecting or storing full SSNs and submit it to the University Information Security office. Contact the Information Security Office at itsec-ec@harvard.edu to request access to the reporting form, as needed.
When collected for business purposes and not a legal requirement:...

Read more about Report location and volumes of identifiable records with full Social Security Numbers annually

Report location and volumes of identifiable records with full Social Security Numbers annually

SSN4: The Harvard “business owner” of any records containing identifiable records with full SSNs, whether electronic or paper, stored by the Harvard unit or by a vendor, must annually report that there are such records and describe the system or systems on which they are maintained, the retention schedule, the location of the system(s), and the approximate number of such records containing full SSNs.

 

Archive selected identifiable records with full Social Security Numbers securely

See www.grs.harvard.edu for retention schedules and Archive transfer instructions. After secure transfer of the selected records is complete, securely dispose of remaining records in your control that are no longer required by law. Note: Records transferred to HUA are restricted for 80 years and then may be released for research use. The repository may elect to redact the pertinent HRCI information on a case-by-case basis prior to release.

Dispose of or archive identifiable records with full Social Security Numbers securely when retention no longer required by law

SSN3: When no longer required by law or for the business purpose approved through the exception process, electronic or printed identifiable records containing full SSNs and not subject to a legal hold must be properly disposed of so that the information cannot be retrieved or reassembled. In cases where selected records are identified as having archival value, such as stated in the General Records Schedule, those records are to be transferred securely to the Harvard University Archives (HUA), school-specific archives, or appropriate Harvard specialty archives and then securely removed from...

Read more about Dispose of or archive identifiable records with full Social Security Numbers securely when retention no longer required by law

Seek an exception to compile and maintain identifiable records with full Social Security Numbers when not required by law

In certain cases, there may be contracted business partners that require full SSN plus identifying information to complete specific transactions for us, but which do not fulfill a legal requirement for using a full SSN. For example, certain insurance providers may still identify policy holders according to a full SSN, and an alternate identifier or truncated SSN would break their processing service. In such cases, the group with that business need should complete an online...

Read more about Seek an exception to compile and maintain identifiable records with full Social Security Numbers when not required by law

Compile and maintain identifiable records with Social Security Numbers only when required by law

SSN2: New collection processes or new research grants effective on or after July 1, 2017: Identifiable records containing full SSNs may be compiled and maintained only to comply with a specific legal requirement. Full SSNs plus identifiable information may only be used or printed in documents where it is legally required. Identifiable records with full SSNs may not be compiled or maintained if there is no legal requirement for that specific data. For example, maintaining full SSNs only as a tool for differentiating records does not satisfy a legal requirement; the same purpose could be...

Read more about Compile and maintain identifiable records with Social Security Numbers only when required by law

Protect identifiable records with Social Security Numbers according to Level 4 requirements

SSN1: All records compiled or maintained by or for Harvard that contain full SSNs plus other information that can connect the record to an individual (e.g. date of birth, phone number, address, etc.), wherever located and whatever the format, are High Risk Confidential Information and must satisfy the applicable processing and protection requirements for Level 4 data.