New York University collects, maintains, and uses confidential personally identifiable information relating to its students, faculty, and other workforce members, and other individuals associated with the University. The ability to identify an individual and to associate information with an individual is vitally important to both the University and the person. The University has an obligation to ensure privacy and proper handling of personal identification numbers and to protect them against inappropriate access and use.
This policy applies to all members of the University community and covers the use, display, storage, retention, and disposal of personal identification numbers in print or electronic form. Personal identification numbers are Social Security Numbers (SSNs), New York University identification numbers (UIDs), and NetIDs. Members of the University community include full- and part-time employees (such as staff and administrators), faculty, and students, and other individuals (such as contractors, consultants, alumni, and affiliates) associated with the University.
Members of the University community shall employ reasonable and appropriate administrative, technical, and physical safeguards to protect the integrity, confidentiality, and security of the personal identification numbers (SSNs, UIDs, and NetIDs) they handle, store, and/or transmit or to which they otherwise have been given or have gained access.
In adopting this policy, the University is guided by the following objectives:
The following campus officials are responsible for SSN and UID oversight in their respective areas of University operations. That responsibility extends to promoting awareness of this Policy and establishing procedures for protecting these data. Activities of these officials are aligned and integrated through a coordinating task force.
The Office of the Vice President, Information Technology and Chief Information Officer is responsible for overseeing use of the NetID in University operations.
a) NYU collects SSNs:
i. When it is required to do so by law;
ii. When no other identifier serves the business purpose; and
iii. When an individual volunteers the SSN as a means of locating or confirming personal records.
b) In other circumstances, individuals are not required to provide their SSN, verbally or in writing, at any point of service, nor are they to be denied access to those services should they refuse to provide an SSN.
c) SSN collection must be approved by the appropriate campus official (see Policy Statement above). When an SSN is requested, NYU informs the individual whether the disclosure is mandatory or voluntary, by what authority, and what uses will be made of the SSN.
SSNs will be released by NYU to persons or entities outside the University only:
a) As required by law; or
b) When permission is granted by the individual; or
c) When the external entity is acting as the University’s authorized contractor or agent and attests that no other methods of identification are available and that reasonable security measures are in place to prevent unauthorized dissemination of SSNs to third parties; or
d) When the NYU Office of General Counsel has approved the release.
a) SSNs will not be used by NYU to identify individuals except as required by law or for a University business purpose.
b) The release or posting of personal information, such as grades, keyed by the SSN or any portion thereof, is prohibited.
c) SSNs will be transmitted electronically only for business purposes approved by the officials responsible for SSN oversight and only through secure mechanisms approved by the Office of the Vice President, Information Technology and Chief Information Officer.
d) The campus officials responsible for SSN oversight will establish business rules for the use, display, storage, retention, and disposal of any document, item, file, or database which contains SSNs in print or electronic form.
a) The UID is a unique alphanumeric assigned by the University to any member of the University community who requires an identifying number in any University system of records.
b) A UID is assigned at the earliest possible point of contact between the individual and the University.
c) The UID is associated permanently and uniquely with the individual to whom it is assigned.
a) The UID is considered personally identifiable information by the University, to be used for appropriate business purposes in support of University operations.
b) The UID is used to identify, track, and service individuals across all University electronic and paper data systems, applications, and business processes throughout the span of an individual’s association with the University and presence in the University’s records.
c) The UID is not to be disclosed or displayed publicly by the University, nor to be posted on University electronic information or data systems unless the UID is protected by access controls that limit access to properly authorized individuals.
d) The UID is imprinted and encoded on the official University photo identification card known as the NYUCard. The NYUCard is the principal means of physical identification at the University, and the use of the NYUCard by the cardholder, whether by physical display or when swiped at an electronic reader, will constitute a voluntary disclosure of the UID.
e) The release or posting of personal information keyed by the UID, such as grades, is prohibited.
f) Any document, item, file, or database that contains UIDs in print or electronic form is to be disposed of in a secure manner.
a) The NetID is a unique alphanumeric assigned by the University to an individual.
b) The NetID is assigned to all persons who may require access to electronic services at the University, including students, faculty, staff, administrators, and other individuals (such as contractors, consultants, alumni, and affiliates) associated with the University.
c) The NetID is permanently and uniquely associated with the individual to whom it is assigned.
a) The NetID is considered personally identifiable information by the University.
b) The NetID is used, in conjunction with an individually set password, as an authenticated identifier for on-line transactions and may be used, in addition to the UID, to identify and track individuals within the University systems, applications, and business processes.
c) Use of the email address (NetID@nyu) constitutes a voluntary disclosure of the NetID.
d) The NetID is imprinted on the official University photo identification card known as the NYUCard. Physical display of the NetID as printed on the NYUCard by the cardholder constitutes a voluntary disclosure of the NetID.
e) The release or posting of personal information keyed by the NetID, such as grades, is prohibited.
f) Any document, item, file, or database that contains NetIDs in print or electronic form is to be disposed of in a secure manner.
Violations of this policy resulting in misuse of, unauthorized access to, or unauthorized disclosure or distribution of personal identification numbers may subject individuals to disciplinary action, up to and including the termination of employment or contract with the University, or, in the case of students, suspension or expulsion from the University.
Effective Date Supersedes N/A Issuing Authority Executive Vice President Responsible Officer Vice President, Information Technology and Chief Information Officer