The PSU ID numbers will be printed on the new Penn State id+ cards, which will be distributed at card distribution events at every campus from Nov. 1-5 to all current cardholders (faculty, staff, and students). Cardholders will need to continue using their current card until the new cards take effect during the winter break. Automated card-swipe systems will be converted to the new PSU ID between Dec. 20 and Dec. 31. Any person who will be using a card-reading system during this time period (example: for access to offices or residence halls), should carry both his/her old and new ID cards to ensure access.
These days, the importance of safeguarding personal data is a hot topic of conversation not only at Penn State, but also at many other institutions including the federal government. In July, the House Committee on Ways and Means approved the Social Security Number Privacy and Identity Theft Prevention Act, a bill designed to put further restrictions on the use and display of Social Security numbers (SSNs) in an effort to better protect identities. Although this bill is not yet law, it signifies that the prevention of identity theft has become a national concern.
Recognizing that concern, Penn State is just three months away from adopting a new Penn State ID number (PSU ID) in place of SSNs as the primary identifier of students, faculty and staff. "We're looking to protect private information from unintentional exposure and intentional identity theft," said David Lindstrom, Chief Privacy Officer at the University. "The less we use, display and make available private information, the better we control the risk."
Since SSNs are a potential target for would-be identity thieves, Penn State has recently created a new University policy to protect the privacy and confidentiality of an individual's SSN. Policy AD19, which will govern the future use of SSNs, takes effect January 1, 2005, when the new PSU ID is adopted. It has been published now to give University offices time to comply with its provisions.
According to Kathy Plavko, manager on the SSN Project team, the new policy-available at http://guru.psu.edu/policies/AD19.html -is designed to reduce potential identity theft risk for students, faculty and staff. Plavko stresses that following the policy guidelines is essential for the University community, citing that as many as 27.3 million people fell victim to identity theft between 1998 and 2003, including 9.9 million during the last y ear, according to a Federal Trade Commission survey performed in 2003.
"This effort can only be successful if we have the full participation of every employee at the University in evaluating what they need to do to comply with the new policy and in being prepared for the changes that will take effect on January 1," said Plavko.Faculty and staff responsible for their own local data
As part of that preparation, Plavko explains that faculty and staff are responsible for the data files stored on their computers that contain SSNs. For example, files like grade books, class lists and other listings containing SSNs should be deleted if they no longer are needed. Otherwise, they should be saved to a CD and secured or printed and filed in a secured location, and then deleted from the computer. SSNs also can be converted to the new PSU IDs if it is necessary to retain this information for continued use after January 1.
Plavko also emphasizes that faculty and staff should begin to clean up data on their computers now.
Files that need to be converted to use the new PSU ID can be converted beginning December 20. There will be a 90-day window, ending March 31, 2005, to complete these conversions.
Each college, department and campus has its own local SSN contact listed at http://ais.its.psu.edu/ssn/media/LocalSSNContacts7.pdf to coordinate these efforts and specific information for faculty/staff conversions is available on the SSN Project Web site at http://ais.its.psu.edu/ssn.Key provisions for faculty and staff to ensure compliance with policy AD19
When assessing local files, follow these provisions from policy AD19:
Any spreadsheet, database, online list or electronic document containing SSNs must be either deleted, printed and secured, stored securely off-line on a CD or converted unless the Chief Privacy Officer grants an exception.
Documents that contain SSNs in Microsoft Word and e-mail messages must be secured, but do not need to be converted. Unnecessary files of this type should be deleted.
Both current and historical records containing SSNs in off-line storage such as paper, tape, cartridge, microfiche, microfilm or magnetic media do not need to be converted as long as access to them is limited and secured.
All online and off-line records containing SSNs will be considered confidential information. If an employee has any such records that he/she will no longer need, they should be purged in compliance with the General Retention Schedule for University Records. See http://guru.psu.edu/gfug/appendices/APP18.html for details.
Even after the launch of the new PSU ID on January 1, the University still will be required to collect the SSN of any person who wishes to enroll in academic offerings and any person employed at Penn State. Only authorized employees, however, will have access to these SSNs.
"Social Security numbers are still the unique national identifier. We need to collect them for the purpose of paying employees, coordinating health care and health care payments and reporting to other federal agencies that still work in an SSN environment," said Lindstrom.
Lindstrom added that any offices that have been granted permission from the Chief Privacy Officer to store SSNs within their systems will need to be certified as a Penn State Trusted Network. This requirement will help avoid the type of security breach that recently occurred at the California Polytechnic State University, in which 652 students may have had their SSNs compromised after a computer virus infected a computer with their personal details on it.
"Any system with confidential information should have to meet minimum security requirements," said Lindstrom. The Privacy Office and Security Operations and Services, a unit of Information Technology Services, are working together to evaluate the current security requirements at Penn State.Central systems transition
To facilitate the SSN-to-PSU ID changeover, all University Administrative Information Systems, including IBIS, ISIS, the Data Warehouse and eLion, will be taken off-line for conversion at midnight Saturday, December 18. Systems will be back online on or after December 26 as testing is completed. Beginning January 1, 2005, the PSU ID will be used in these systems and in all internal processes that do not require SSNs for reporting or taxation purposes. The University still will need to collect individuals' SSNs for certain business processes, but use of SSNs will be strictly limited by policy AD19.
Apart from the conversion of Administrative Information Systems, each department, college and campus is responsible for converting its own unique academic and administrative procedures, processes and forms to use the new PSU ID.
For more information about Penn State's SSN Conversion, visit the faculty/staff information overview on the official SSN Project Web site at http://ais.its.psu.edu/ssn.