Conferences & Events
Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
pressure to reduce/eliminate use of SSNs in person registries?
I hate to start another SSN thread on this list (see Jan 2011 and Jan 2008), but I will try to constrain the topic. UW is one of those sites that has a "person registry" driving its enterprise IdM, providing identities for accounts, authorization, etc. This UPR gets the usual feeds from source systems (HR, student, alum, extension, partners) and as one of its jobs tries to match person data coming from the different sources. In our case one of the main items we match on is SSN; we get SSNs from the student and HR sources. UW, probably years behind other campuses, is moving toward having a comprehensive enterprise SSN-handling policy. This new doc sets out the acceptable situations for obtaining and using SSNs, driven primarily by federal and state law and regulation. Processes like hiring and student financial aid require SSN, by law, so are explictly permitted. Identity management matching is not required, so is a point of contention. Our IAM team is seeking explicit permission for our long-standing practice. Some other policy-drafting participants are pushing back, saying that SSNs can only be used for this purpose if individuals give their permission (ie, opt-in). (It is notable that use of SSN for matching student applicant records between institutions is another non-mandated practice that is seeking, or may already have, this exemption.) So, we're curious whether IAM operations at other campuses have been subject to pressure to remove SSNs, or obtain user permission to use them (which seems hopeless to me), and whether your operations have changed as a result. We're not asking, today, about alternative matching approaches, or ways of protecting SSNs (but of course discussion will go where it will). Thanks, - RL "Bob" Morgan UW-IT IAM