SOCIAL SECURITY ADMINISTRATION
UNIVERSITIES'
USE OF SOCIAL
SECURITY NUMBERS AS STUDENT
IDENTIFIERS IN REGION V
June 2005
A-05-05-15081
AUDIT REPORT
Mission
We improve SSA programs and operations and protect them against fraud, waste, and abuse by conducting independent and objective audits, evaluations, and investigations. We provide timely, useful, and reliable information and advice to Administration officials, the Congress, and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
By conducting independent and objective audits, investigations, and evaluations,
we are agents of positive change striving for continuous improvement in the
Social Security Administration's programs, operations, and management and in
our own office.
MEMORANDUM
Date: June 7, 2005
To: James F. Martin
Regional Commissioner Chicago
From: Inspector General
Subject: Universities' Use of Social Security Numbers as Student Identifiers in Region V (A-05-05-15081)
OBJECTIVE
Our objective was to assess universities' use of Social Security numbers (SSN) as student identifiers and the potential risks associated with such use.
BACKGROUND
Millions of students enroll in educational institutions each year. To assist
in this process, many colleges and universities use students' SSNs as personal
identifiers. The American Association of Collegiate Registrars and Admissions
Officers found that almost half of member institutions that responded to a 2002
survey used SSNs as the primary student identifier. Although no single Federal
law regulates overall use and disclosure of SSNs by colleges and universities,
the Privacy Act of 1974, the Family Educational Rights and Privacy Act, and
the Social Security Act, contain provisions that govern disclosure and use of
SSNs. See Appendix B for more information on the specific provisions of these
laws.
We selected a sample of 12 universities in Region V. For each selected university,
we interviewed university personnel and reviewed the policies and practices
for the use of SSNs. See Appendices C and D for additional details on the scope
and methodology of our review and a list of the universities we contacted, respectively.
We are conducting a review in each of the Social Security Administration's (SSA)
10 regions and will issue separate reports to each Regional Commissioner.
RESULTS OF REVIEW
Based on interviews with personnel at 12 universities and reviews of the universities' policies and practices, we identified 7 universities that use the SSN as the primary student identifier, even when another identifier would suffice. The unnecessary use of SSNs increases the potential for unscrupulous individuals to gain access to these numbers and misuse them, thus creating SSN integrity issues. To address such issues, five universities included in our review have taken steps to eliminate or reduce SSN use.
UNIVERSITIES USE SSN AS PRIMARY STUDENT IDENTIFIER
Universities typically collect student SSNs on admissions applications and financial aid forms. The universities use SSNs for a variety of purposes, such as applications for admission, class registration, class rosters, grade reporting, computer log on, and transcript requests. Of the 12 universities in our review, we found that 7 used the SSN as a primary student identifier because of computer system requirements, common historical practice, convenience, and/or identity verification. In addition, we found that one university displayed the last five digits of the SSN on student identification cards.
All of the seven universities using the SSN as the primary student identifier plan to reduce the use of the SSN where possible within the next 2 years. The university that displays the last five digits of the SSN on student identification cards stated that cards will not display any part of the SSN when the university implements their new computer system. However, none of the universities plan to completely eliminate use of the SSN as an identifier. The SSN will continue to be used for such purposes as financial aid, Federal reporting, and payroll. The universities plan to use an alternate number as the primary student identifier.
UNIVERSITIES AND STATES LIMIT SSN USE
Recent incidences of identity theft at universities have led some schools to reconsider the practice of using SSNs as primary student identifiers. In fact, five universities, the University of Northwestern Ohio (UNO), Indiana University - Bloomington (IUB), the University of Wisconsin - Milwaukee (UWM), the University of Minnesota - Twin Cities (UMN), and Roosevelt University (RU), assign each student a unique identification number that becomes the student's primary university identification number. However, all five of the universities do use the SSN in some capacity, such as for financial aid purposes, for Federal reporting, to verify a student's identity, to help identify duplicate records, and to verify a transcript.
UNO assigns a system-generated identification number when a student is admitted to the university that is used as the primary identifier. The university has used its current student number system since records were computerized in the 1980s. The SSN is used as a secondary identifier. Student records are accessible by either the student number or the SSN. Official transcripts are the only documents produced by the university that display student SSNs.
IUB assigns a random 10-digit university identification number as the primary student identifier. Students are not required to provide their SSN to the university unless they wish to participate in Federal Financial Aid programs. However, most students voluntarily provide their SSN. Official transcripts display the last four digits of the SSN, if provided, to facilitate matching student information with outside institutions.
UWM assigns a nine-digit number as the primary student identifier. Students use the university-assigned identifier along with a personal identification number (PIN) to access the university's computer system. However, students can elect to use their SSN plus a PIN to access the system. Student records are accessible by either the university-assigned identifier or the SSN. The SSN is displayed on official transcripts.
UMN staff said that the university has never used the SSN as the primary student identifier. Students are assigned a university identification number. The university has, where possible, made the SSN field optional. The SSN does not appear on UMN official transcripts. UMN is establishing a formal policy regarding the university's use of the SSN. The goals of the policy are to reduce the collection and use of the SSN where possible and to require disclosure statements when the SSN is collected.
RU assigns each student a nine-digit student identification number upon admission to the university that becomes the student's primary identifier. The university continues to maintain SSN information in the student record. Either the student identification number or SSN and a password are used to access the university's computer system. RU has plans to further reduce its use of the SSN by changing forms that request SSNs to instead request student identification numbers. RU implemented its current student numbering system on November 1, 2004. Official transcripts and mailed grade reports are the only documents produced by the university that display masked SSNs.
Five of the six States in Region V have passed legislation regarding the use
or display of the SSN.
Illinois passed legislation that directs a task force to "
examine
the procedures used by the State to protect an individual against the unauthorized
disclosure of his or her social security number when the State requires the
individual to provide his or her social security number to an officer or agency
of the State."
Indiana passed legislation that prohibits State agencies from compelling an individual to provide their SSN to a State agency against the individual's will, absent Federal requirements to the contrary. Any forms that request the SSN must state the reason the SSN is requested and notification that either the State is required by Federal law to obtain the SSN and the form cannot be processed without it or the individual has the right to refuse to provide the SSN and will not be penalized for doing so. In addition, an individual may request that his or her SSN be removed from a State agency's record, and the State agency must substitute a new identification number to be used by the individual.
Michigan passed legislation that includes a provision prohibiting the use of " all or more than 4 sequential digits of the social security number as the primary account number " for an employee, student or other individual.
Minnesota passed legislation that requires that an individual asked to provide private or confidential data be informed of the purpose and intended use of the requested data within the State agency, whether the individual may refuse to provide the requested information, any known consequences for not providing the requested information, and the identity of those authorized by State or Federal law to receive the information. State agencies cannot collect, store, use, or disseminate private or confidential data of an individual for any other purpose than those stated to the individual at the time of collection. This act identifies the SSN and educational data as private.
Wisconsin passed legislation that prohibits an institution of higher education from assigning any student an "identification number that is identical to or incorporates the student's Social Security number." The act defines an institution of higher education as either a State or private educational institution located in Wisconsin that awards a bachelor's or higher degree or provides programs that are acceptable toward such a degree.
POTENTIAL RISKS ASSOCIATED WITH USING SSNs AS STUDENT IDENTIFIERS
Universities' use of SSNs as primary identification numbers entails certain risks, including potential identity theft and fraud. Each time an individual divulges his or her SSN, he or she is exposed to having the number stolen and used for unintended purposes. The exposure to identity theft increases when the SSN is the student identification number. It is important for universities, as well as individuals, to help prevent identity theft and fraud to the extent possible by reducing this exposure.
One university we interviewed reported that several years ago, a university server was breached, and a file with information for approximately 2,000 students was accessed. The university paid for those students to obtain credit reports. Although we identified no other instances of SSN misuse at the universities we reviewed in Region V, below are examples from other universities that illustrate the risks of using SSNs.
A university professor in Washington was indicted on 33 counts of mail fraud in a scam using students' SSNs. The professor allegedly accessed the university's records system and used students' information to obtain new SSN cards by posing as a parent. The professor then allegedly used the SSNs to obtain credit cards and birth certificates.
California authorities arrested a man suspected of stealing the names and SSNs of 150 college students and using that information to obtain credit cards and charge over $200,000 in the students' names.
A New York school notified about 1,800 students that their SSNs and other personal information had been posted on a university web site. The university shut down the website.
A student at a Texas university was indicted for hacking into the school's computer network and downloading the names and SSNs of over 37,000 students, faculty, and alumni.
A man discovered a computer printout in a trash bin near a Pennsylvania university listing SSNs and other personal data for hundreds of students.
CONCLUSION AND RECOMMENDATIONS
Despite the potential risks associated with using SSNs as primary student identifiers, many universities continue this practice. We recognize the challenge of educating such a large number of universities. However, given the potential threats to SSN integrity, such a challenge should not discourage SSA from taking steps to safeguard SSNs. Given the potential risks for SSN misuse and identity theft, we believe SSA can better safeguard SSN integrity by educating universities about unnecessary SSN use.
One of the universities we reviewed in Region V, UMN, has successfully refrained from using the SSN as the primary student identifier. In addition, UMN plans to further reduce the collection and use of SSNs where possible and to require disclosure statements when the SSN is collected. This practice reflects that UMN recognizes the increased concern of individual privacy and the risk of identity theft. We believe that UMN's practices can serve as a model for other universities to limit their collection and use of SSNs.
Accordingly, we recommend that SSA:
1. Coordinate with colleges/universities and State/regional educational associations to educate the university community about the potential risks associated with using SSNs as student identifiers.
2. Encourage colleges/universities to limit their collection and use of SSNs.
3. Promote the best practices of educational institutions, such as UMN, that do not use the SSN as student identifiers.
AGENCY COMMENTS
In commenting on our draft report, SSA agreed with our recommendations. The Regional Commissioner also suggested that SSA's Central Office prepare a national release of public information materials related to universities' use of SSNs. See Appendix E for the full text of SSA's comments.
OIG RESPONSE
A national release of public information materials related to universities' use of SSNs would be an effective forum to educate universities on SSN abuse and to provide information on the best practices of educational institutions that do not use the SSN as student identifiers. Accordingly, we encourage the Regional Commissioner to work with the Deputy Commissioner for Operations to create the national release.
Patrick P. O'Carroll, Jr.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Federal Laws that Govern Disclosure and Use of the Social Security
Number
APPENDIX C - Scope and Methodology
APPENDIX D - Universities Reviewed
APPENDIX E - Agency Comments
APPENDIX F - OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
Burns Ind. Code Ann. Burns Indiana Code Annotated
C.F.R. Code of Federal Regulations
FERPA Family Educational Rights and Privacy Act
ILCS Illinois Compiled Statutes
IUB Indiana University - Bloomington
MCLS Michigan Compiled Laws Service
Minn. Stat. Minnesota Statutes
PIN Personal Identification Number
Pub. L. Public Law
RU Roosevelt University
SSA Social Security Administration
SSN Social Security Number
UMN University of Minnesota - Twin Cities
UNO University of Northwestern Ohio
U.S.C. United States Code
UWM University of Wisconsin - Milwaukee
Wis. Stat. Wisconsin Statutes
Appendix B
Federal Laws that Govern Disclosure and Use of the Social Security Number
The following Federal laws establish a general framework for disclosing and
using the Social Security number (SSN).
The Privacy Act of 1974 (5 U.S.C. § 552a; Pub. L. No. 93-579, §§ 7 (a) and 7 (b))
The Privacy Act of 1974 provides that it is unlawful for a State government agency to deny any person a right, benefit, or privilege provided by law based on the individual's refusal to disclose his or her SSN, unless such disclosure was required to verify the individual's identity under a statute or regulation in effect before January 1, 1975. Further, under Section 7(b), a State agency requesting that an individual disclose his or her SSN must inform the individual whether the disclosure is voluntary or mandatory, by what statutory or other authority the SSN is solicited and what uses will be made of the SSN.
The Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 C.F.R. Part 99)
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. FERPA applies to those schools that receive funds under an applicable program of the U.S. Department of Education. Under FERPA, an educational institution must have written permission from the parent or eligible student to release any personally identifiable information (which includes SSNs) from a student's education record. FERPA does, however, provide certain exceptions in which a school is allowed to disclose records without consent. These exceptions include disclosure without consent to university personnel internally who have a legitimate educational interest in the information, to officials of institutions where the student is seeking to enroll/transfer, to parties to whom the student is applying for financial aid, to the parent of a dependent student, to appropriate parties in compliance with a judicial order or lawfully issued subpoena, or to health care providers in the event of a health or safety emergency.
The Social Security Act
The Social Security Act states, "Social security account numbers and related
records that are obtained or maintained by authorized persons pursuant to any
provision of law, enacted on or after October 1, 1990, shall be confidential,
and no authorized person shall disclose any such social security account number
or related record."
(42 U.S.C. §405(c)(2)(C)(viii)). The Social Security Act also states, "
[w]hoever
discloses, uses, or compels the disclosure of the social security number of
any person in violation of the laws of the United States; shall be guilty of
a felony
" (42 U.S.C. §408(a)(8)).
Appendix C
Scope and Methodology
To accomplish our objective, we:
selected 2 universities from each of the 6 States in Region V - 1 university with more than 15,000 students and 1 university with fewer than 15,000 students;
interviewed selected university personnel responsible for student admissions, registration, or information systems either by on-site visit or teleconference;
reviewed Internet websites of 12 universities;
reviewed applicable Federal laws and regulations, applicable State laws and the Social Security Administration's (SSA) Program Operations Manual System; and
reviewed selected studies, articles, and reports regarding universities' use of Social Security numbers (SSN) as student identifiers.
We visited six universities and conducted interviews via teleconference at
six others to learn more about their policies and practices for using SSNs as
student identifiers. Our review of internal controls was limited to gaining
an understanding of universities' policies over the collection, protection,
and use/disclosure of SSNs. The SSA component reviewed was the Office of the
Deputy Commissioner for Operations. We conducted our audit from October 2004
through March 2005 in accordance with generally accepted government auditing
standards.
Appendix D
Universities Reviewed
We interviewed personnel at 12 universities in Region V. The table below shows the names and locations of these schools as well as their total student enrollments.
School Location Student Enrollment
1 Ohio State University Columbus, Ohio 47,375
2 University of Minnesota - Twin Cities Minneapolis, Minnesota 42,989
3 Indiana University - Bloomington Bloomington, Indiana 37,105
4 Central Michigan University Mount Pleasant, Michigan 27,483
5 College of DuPage Glen Ellyn, Illinois 26,874
6 University of Wisconsin - Milwaukee Milwaukee, Wisconsin 24,173
7 University of Southern Indiana Evansville, Indiana 9,558
8 Roosevelt University Chicago, Illinois 7,149
9 Lakeland College Sheboygan, Wisconsin 3,829
10 University of Northwestern Ohio Lima, Ohio 2,665
11 Southwestern Michigan College Dowagiac, Michigan 2,266
12 Saint John's University Collegeville, Minnesota 2,027
Source: We determined student enrollment by reviewing the following website:
www.collegeboard.com
Appendix E
Agency Comments
Date: May 18, 2005
To: Inspector General
From: Regional Commissioner Chicago
Subject: Universities' Use of Social Security Numbers as Student Identifiers
in Region V (A-05-05-15081) (Your Request of April 26, 2005) -- REPLY
Thank you for giving us the opportunity to comment on the subject draft. We
agree with your recommendations:
1. Coordinate with colleges/universities and State/regional educational associations
to educate the university community about the potential risks associated with
using SSNs as student identifiers.
2. Encourage colleges/universities to limit their collection and use of SSNs.
3. Promote the best practices of educational institutions, such as UMN, that do not use the SSN as student identifiers.
We will incorporate a discussion of universities' use of SSNs and the need to protect against SSN abuse into our contacts with educational institutions. We would also suggest that SSA headquarters prepare a national release of public information materials on this subject, since most of the instances of SSN abuse in universities noted in your report occurred in other regions.
If your staff have any questions, they may call Denise Niesman of the Management and Operations Support, Retirement and Survivors Insurance Team at (312) 575-4241.
James F. Martin
Appendix F
OIG Contacts and Staff Acknowledgments
OIG Contacts
Mark Bailey, Director, Chicago Audit Division (816) 936-5591
Teresa Williams, Audit Manager (312) 353-0331
Acknowledgments
In addition to those named above:
Elizabeth Juárez, Auditor-in-Charge
Sherman Doss, Auditor
Anthony Lesniak, Auditor
Deborah Taylor, Auditor
Cheryl Robinson, Writer-Editor
For additional copies of this report, please visit our web site at www.ssa.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A-05-05-15081.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations
(OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General
(OCCIG), and Office of Executive Operations (OEO). To ensure compliance with
policies and procedures, internal controls, and professional standards, we also
have a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts and/or supervises financial and performance audits of the Social
Security Administration's (SSA) programs and operations and makes recommendations
to ensure program objectives are achieved effectively and efficiently. Financial
audits assess whether SSA's financial statements fairly present SSA's financial
position, results of operations, and cash flow. Performance audits review the
economy, efficiency, and effectiveness of SSA's programs and operations. OA
also conducts short-term management and program evaluations and projects on
issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste,
abuse, and mismanagement in SSA programs and operations. This includes wrongdoing
by applicants, beneficiaries, contractors, third parties, or SSA employees performing
their official duties. This office serves as OIG liaison to the Department of
Justice on all matters relating to the investigations of SSA programs and personnel.
OI also conducts joint investigations with other Federal, State, and local law
enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Finally, OCCIG administers the Civil Monetary Penalty program.
Office of Executive Operations
OEO supports OIG by providing information resource management and systems security.
OEO also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OEO is the focal point for OIG's strategic
planning function and the development and implementation of performance measures
required by the Government Performance and Results Act of 1993.