Policy on Personal Identification Numbers
Reason for Policy
New York University collects, maintains, and uses confidential personally identifiable information relating to its students, faculty, and other workforce members, and other individuals associated with the University. The ability to identify an individual and to associate information with an individual is vitally important to both the University and the person. The University has an obligation to ensure privacy and proper handling of personal identification numbers and to protect them against inappropriate access and use.
Who Is Affected By This Policy
This policy applies to all members of the University community and covers the use, display, storage, retention, and disposal of personal identification numbers in print or electronic form. Personal identification numbers are Social Security Numbers (SSNs), New York University identification numbers (UIDs), and NetIDs. Members of the University community include full- and part-time employees (such as staff and administrators), faculty, and students, and other individuals (such as contractors, consultants, alumni, and affiliates) associated with the University.
Members of the University community shall employ reasonable and appropriate administrative, technical, and physical safeguards to protect the integrity, confidentiality, and security of the personal identification numbers (SSNs, UIDs, and NetIDs) they handle, store, and/or transmit or to which they otherwise have been given or have gained access.
In adopting this policy, the University is guided by the following objectives:
- To ensure that the necessary awareness and procedures exist so that all members of the University community comply with both the letter and the spirit of the federal and state privacy legislation;
- To inculcate broad awareness of the confidential nature of the SSN;
- To reduce reliance for identification purposes on the SSN in favor of the UID;
- To establish a consistent policy towards and treatment of SSNs throughout the University;
- To ensure that access to SSNs for the purpose of conducting University business is granted only to the extent necessary;
- To enhance and preserve individual privacy for members of the University community through the confidential handling of personal identification numbers;
- To use, throughout the University, a unique UID that serves as the primary identification element for persons associated with NYU and be applicable across the entire NYU enterprise; and
- To ensure that each member of the University community takes full responsibility for any activity done under that individual’s NetID.
The following campus officials are responsible for SSN and UID oversight in their respective areas of University operations. That responsibility extends to promoting awareness of this Policy and establishing procedures for protecting these data. Activities of these officials are aligned and integrated through a coordinating task force.
- Alumni: Senior Vice President for Development and Alumni Relations
- Students: University Registrar
- Prospective students and applicants: Vice President for Enrollment Management
- Faculty, Visiting Scholars, and researchers: Vice Provost for Faculty, Arts, Humanities and Diversity
- Employees and prospective employees: Vice President, Human Resources
- All other affiliated individuals: Vice President for Global Campus Safety
The Office of the Vice President, Information Technology and Chief Information Officer is responsible for overseeing use of the NetID in University operations.
A. Social Security Numbers
1. Provision of Information
a) NYU collects SSNs:
i. When it is required to do so by law;
ii. When no other identifier serves the business purpose; and
iii. When an individual volunteers the SSN as a means of locating or confirming personal records.
b) In other circumstances, individuals are not required to provide their SSN, verbally or in writing, at any point of service, nor are they to be denied access to those services should they refuse to provide an SSN.
c) SSN collection must be approved by the appropriate campus official (see Policy Statement above). When an SSN is requested, NYU informs the individual whether the disclosure is mandatory or voluntary, by what authority, and what uses will be made of the SSN.
2. Release of SSNs
SSNs will be released by NYU to persons or entities outside the University only:
a) As required by law; or
b) When permission is granted by the individual; or
c) When the external entity is acting as the University’s authorized contractor or agent and attests that no other methods of identification are available and that reasonable security measures are in place to prevent unauthorized dissemination of SSNs to third parties; or
d) When the NYU Office of General Counsel has approved the release.
3. Use, Display, Storage, Retention, and Disposal
a) SSNs will not be used by NYU to identify individuals except as required by law or for a University business purpose.
b) The release or posting of personal information, such as grades, keyed by the SSN or any portion thereof, is prohibited.
c) SSNs will be transmitted electronically only for business purposes approved by the officials responsible for SSN oversight and only through secure mechanisms approved by the Office of the Vice President, Information Technology and Chief Information Officer.
d) The campus officials responsible for SSN oversight will establish business rules for the use, display, storage, retention, and disposal of any document, item, file, or database which contains SSNs in print or electronic form.
B. New York University Identification Numbers
1. Assignment Eligibility and Issuance
a) The UID is a unique alphanumeric assigned by the University to any member of the University community who requires an identifying number in any University system of records.
b) A UID is assigned at the earliest possible point of contact between the individual and the University.
c) The UID is associated permanently and uniquely with the individual to whom it is assigned.
2. Use, Display, Storage, Retention, and Disposal
a) The UID is considered personally identifiable information by the University, to be used for appropriate business purposes in support of University operations.
b) The UID is used to identify, track, and service individuals across all University electronic and paper data systems, applications, and business processes throughout the span of an individual’s association with the University and presence in the University’s records.
c) The UID is not to be disclosed or displayed publicly by the University, nor to be posted on University electronic information or data systems unless the UID is protected by access controls that limit access to properly authorized individuals.
d) The UID is imprinted and encoded on the official University photo identification card known as the NYUCard. The NYUCard is the principal means of physical identification at the University, and the use of the NYUCard by the cardholder, whether by physical display or when swiped at an electronic reader, will constitute a voluntary disclosure of the UID.
e) The release or posting of personal information keyed by the UID, such as grades, is prohibited.
f) Any document, item, file, or database that contains UIDs in print or electronic form is to be disposed of in a secure manner.
1. Assignment Eligibility and Issuance
a) The NetID is a unique alphanumeric assigned by the University to an individual.
b) The NetID is assigned to all persons who may require access to electronic services at the University, including students, faculty, staff, administrators, and other individuals (such as contractors, consultants, alumni, and affiliates) associated with the University.
c) The NetID is permanently and uniquely associated with the individual to whom it is assigned.
2. Use, Display, Storage, Retention, and Disposal
a) The NetID is considered personally identifiable information by the University.
b) The NetID is used, in conjunction with an individually set password, as an authenticated identifier for on-line transactions and may be used, in addition to the UID, to identify and track individuals within the University systems, applications, and business processes.
c) Use of the email address (NetID@nyu) constitutes a voluntary disclosure of the NetID.
d) The NetID is imprinted on the official University photo identification card known as the NYUCard. Physical display of the NetID as printed on the NYUCard by the cardholder constitutes a voluntary disclosure of the NetID.
e) The release or posting of personal information keyed by the NetID, such as grades, is prohibited.
f) Any document, item, file, or database that contains NetIDs in print or electronic form is to be disposed of in a secure manner.
D. Responsibility for Maintenance and Access Control
- The University-wide UID and the NetID Registries are maintained and administered by NYU Information Technology (NYU IT). Other University offices may maintain and administer electronic and physical repositories containing personal identification numbers for uses in accordance with this policy.
- Access to electronic and physical repositories containing SSNs, UIDs, and NetIDs will be controlled based upon reasonable and appropriate administrative, physical, technical, and organizational safeguards. Such repositories will be backed up and stored in a secure manner.
- Individuals who inadvertently gain access to a file or database that contains SSNs or UIDs for which they have not been authorized shall report it immediately to NYU IT Office of Information Security (firstname.lastname@example.org).
Violations of this policy resulting in misuse of, unauthorized access to, or unauthorized disclosure or distribution of personal identification numbers may subject individuals to disciplinary action, up to and including the termination of employment or contract with the University, or, in the case of students, suspension or expulsion from the University.