Identity Protection Policy - NIU - Division of Information Technology

      

   

NIU Technology Policies & Standards

Untitled Document

Identity Protection Policy

Purpose:

To summarize the policy and procedures required to comply with the Illinois Identity Protection Act (5 ILCS 179/1, et seq.). 

Policy:

In furtherance of the Information Security Policy for Northern Illinois University (University or NIU), and in accordance with the Illinois Identity Protection Act (5 ILCS 179/1, et seq.), NIU establishes this Identity-Protection Policy to protect social security numbers from unauthorized use or disclosure.  This policy is applied in conjunction with the University’s existing policies and practices, as well as State and federal laws, on (1) protecting the confidentiality of social security numbers, and (2) reducing the opportunity for identity theft at Northern Illinois University.  Any University policy, State law or federal law that adopts standards for the collection, use or disclosure of social security numbers that are stricter than the standards outlined in this policy or the Illinois Identity Protection Act with respect to the protection of those social security numbers shall control.  This policy does not apply to the collection, use, or disclosure of a social security number as required by State or federal law, rule or regulation.

Collection, Use, or Disclosure of Social Security Numbers at NIU

The use of social security numbers at Northern Illinois University must be in furtherance of the operations and business of the University and not for the personal use or benefit of individual employees at the University.  Only NIU employees who are required to use or handle information for documents that contain social security numbers can have access to such information or documents.  Northern Illinois University will not use or disclose the social security number for any purpose other than the purpose for which it was collected, unless otherwise expressly allowed under this Policy or State and federal law, rule or regulation.  Northern Illinois University will not collect, use, or disclose a social security number from an individual, unless:

  1. (a) Required to do so under State or federal law, rules or regulations, or (b) the collection, use, or disclosure of the social security number is otherwise necessary for the performance of Northern Illinois University’s duties and responsibilities;
  2. The need and purpose for the social security number is documented in accordance with procedures/protocols issued by Human Resource Services and the ITS Office of Information Security before collection of the social security number; and
  3. The social security number collected is relevant to the documented need and purpose; or
  4. unless otherwise expressly allowed under this Policy or State and federal law, rule or regulation

Northern Illinois University may collect, use, or disclose social security numbers under the following circumstances or situations:

  • The disclosure of social security numbers to agents, employees, contractors, or subcontractors of a governmental entity or disclosure by a governmental entity to another governmental entity or its agents, employees, contractors, or subcontractors if (1) disclosure is necessary in order for the entity to perform its duties and responsibilities and if (2) disclosing to a contractor or subcontractor, prior to such disclosure, the governmental entity must first receive from the contractor or subcontractor a copy of the contractor’s or subcontractor’s policy that sets forth how the requirements imposed under the Illinois Identity Protection Act on a governmental entity to protect an individual’s social security number will be achieved.
  • The disclosure of social security numbers pursuant to a court order, warrant, or subpoena.
  • The collection, use, or disclosure of social security numbers in order to ensure the safety of:
    • State and local government employees;
    • Persons committed to correction facilities, local jails, and other law-enforcement facilities or retention centers;
    • Wards of the State; and
    • All persons working in or visiting a State or local government agency facility.
  • The collection, use, or disclosure or social security numbers for internal verification or administrative purposes.
  • The disclosure of social security numbers by Northern Illinois University to any entity for the collection of delinquent child support or of any State debt or to a governmental agency to assist with an investigation or the prevention of fraud.
  • The collection or use of social security numbers to investigate or prevent fraud, to conduct background checks, to collect a debt, to obtain a credit report from a consumer reporting agency under the federal Fair Credit Reporting Act, to undertake any permissible purpose that is enumerated under the federal Gramm-Leach-Bliley Act, or to locate a missing person, a lost relative, or a person who is due a benefit, such as a pension benefit or an unclaimed property benefit.

Social security numbers that are requested by Northern Illinois University from an individual must be placed on records/documents or stored in a manner that makes the social security number easily redacted if required to be released as part of a public records request.  If there is a request to inspect or copy records under the Illinois Freedom of Information Act or any other federal or state law, the University must redact social security numbers from the information or documents before allowing inspection or copying.  Those University entities that utilize or participate in a national unique patient health identifier program, as established under federal law, will be considered in compliance with this Policy and the Illinois Identity Protection Act.

Prohibitions on the Collection, Use, or Disclosure of Social Security Numbers at NIU

Unless otherwise expressly allowed under this Policy or State or federal law, rule or regulation, Northern Illinois University WILL NOT:

  • publicly post or publicly display in any manner an individual’s social security number;
  • print an individual’s social security number on any card required for the individual to access products or services provided by Northern Illinois University;
  • encode or embed a social security number in or on a card or document, including, but not limited to, using a car case, chip, magnetic strip, RFID technology, or other technology, in place of removing the social security number;
  • require an individual to use his or her social security number to access an Internet website;
  • require an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted;
  • print an individual’s social security number on any materials that are mailed to the individual, through the U.S. Postal Service, any private mail service, electronic mail, or any similar method of delivery, EXCEPT when (1) State or federal law requires the social security number to be on the document to be mailed, or (2) mailed in connection with the following:
    • Any material in furtherance of the administration of the Unemployment Insurance Act;
    • Any material mailed in connection with any tax administered by the Department of Revenue; and
    • Documents sent as part of an application or enrollment process or to establish, amend, or terminate an account, contract, or policy, or to confirm the accuracy of the social security number;
    • print an individual’s social security number, in whole or in part, on any postcard or other mailer that does not require an envelope or makes the social security number visible on an envelope without the envelope having been opened.

Disposal of Materials Containing Personal Information

Disposal and retention of all records should occur in accordance with University Retention Guidelines available at www.compliance.niu.edu/RecordsRetention/Index.cfm.  Prior to disposing of documents contained in these guidelines, departments must request permission to destroy from Human Resource Services and receive a certificate back from the State of Illinois.  Questions regarding this process should be directed to Human Resource Services at 815-753-6000. 

Additional protocols apply to the disposal of information containing personal information.  All materials containing personal information must be disposed of in a manner that ensures that personal information is not readable, usable, and decipherable.  Proper disposal includes, but is not limited to the following:

  • paper documents containing personal information may be redacted, burned, pulverized, or shredded so that personal information cannot be read or reconstructed.
  • electronic equipment, media and other non-paper media containing personal information must be erased, wiped, sanitized, or destroyed in a manner that prevents retrieval of personal information or software such that the information cannot be reconstructed. Disposal of electronic media should occur in accordance with the NIU Procedure and Charges to Surplus Electronic Data Processing Equipment with Hard Drives Policy available at www.niu.edu/its/software/downloads/wipedisk.shtml and with the Data Security on State Computers Act (www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2438&ChapterID=5).

Any department disposing of materials containing personal information may, utilizing the University Procurement process, contract with a third party for disposal. It is the department’s responsibility to ensure that the third party implements and monitors compliance with these policies and procedures and prohibits unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information.

Training

All employees of Northern Illinois University identified as having access to social security numbers in the course of performing their duties will be trained to protect the confidentiality of social security numbers in accordance with the provisions of this policy.  Such training will include instructions on proper handling of information that contains social security numbers from the time of collection through the destruction of the information.

References:

Illinois Identity Protection Act (5 ILCS 179/1, et seq.)

Northern Illinois University Information Security Policy

Northern Illinois University Records Retention Guidelines

Illinois State Records Act (5 ILCS 160/1, et seq.)

Sections 30 and 40 of the Illinois Personal Information Protection Act (815 ILCS 530/30 and 40)

NIU Procedure and Charges to Surplus Electronic Data Processing Equipment with Hard Drives Policy

Data Security on State Computers Act

10/2012