...

Protection and Use of Faculty, Staff, and Student Identifiers Standards and Procedures

A. Records Containing Identifiers*

1. Authorization:  

Only individuals with a "need-to-know"* should be authorized to access student and employee records. New hires are required to sign the University’s Employee Access and Compliance agreement (EACA) prior to receiving access to institutional identifiers <http://www.albany.edu/its/ITS_forms.htm#Information_Security>.  Student employees with access to student and employee records must sign the EACA or an equivalent non-disclosure agreement as a condition of employment.

...

The University at Albany may release SSNs or other identifiers to third parties as allowed by law, when authorization is granted by the individuals (student or staff), when the Office of the University Counsel has approved the release (e.g. subpoenas) or when the authorized third party is acting as the University at Albany's agent in the context of a valid contract or agreement, and when appropriate security is guaranteed by the contract or agreement (e.g., financial institutions providing student loans or other financial services).  All such distributions to third parties of institutional data must be performed by University systems of record or by University employees authorized to release this data.  Individual employees are not permitted to release this information directly to third parties without proper authorization.

B. Social Security Numbers

1. New York State Laws

a. Employee Records

...

1. minimizing the use of SSN or other forms of personal identification,
2. maintaining an up-to-date inventory of SSN databases and datasets, and other repositories of identifiers,
3. documenting security controls and risk remediation and communicating these to the ORRC and ISO.

...

February, 2012